libmongocrypt-helper 1.13.2.0.1001 → 1.14.0.0.1001

data/ext/libmongocrypt/libmongocrypt/bindings/python/scripts/update-version.sh

@@ -0,0 +1,27 @@
+#!/bin/bash
+
+set -eu
+
+SCRIPT_DIR=$(dirname ${BASH_SOURCE:-$0})
+
+if [ -z "${1:-}" ]; then
+    echo "Provide the new version of libmongocrypt!"
+    exit 1
+fi
+
+LIBMONGOCRYPT_VERSION=$1
+
+echo $LIBMONGOCRYPT_VERSION > $SCRIPT_DIR/libmongocrypt-version.txt
+
+pushd $SCRIPT_DIR/..
+if [ $(command -v podman) ]; then
+    DOCKER=podman
+else
+    DOCKER=docker
+fi
+
+echo "pkg:github/mongodb/libmongocrypt@$LIBMONGOCRYPT_VERSION" > purls.txt
+$DOCKER run --platform="linux/amd64" -it --rm -v $(pwd):$(pwd) artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:2.0 update --purls=$(pwd)/purls.txt -o $(pwd)/sbom.json
+rm purls.txt
+
+popd

data/ext/libmongocrypt/libmongocrypt/bindings/python/scripts/update_binding.py

@@ -0,0 +1,78 @@
+# Copyright 2019-present MongoDB, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+"""Update pymongocrypt/bindings.py using mongocrypt.h.
+"""
+
+import re
+from pathlib import Path
+
+DROP_RE = re.compile(r"^\s*(#|MONGOCRYPT_EXPORT)")
+HERE = Path(__file__).absolute().parent
+
+
+# itertools.pairwise backport for Python 3.9 support.
+def pairwise(iterable):
+    # pairwise('ABCDEFG') → AB BC CD DE EF FG
+
+    iterator = iter(iterable)
+    a = next(iterator, None)
+
+    for b in iterator:
+        yield a, b
+        a = b
+
+
+def strip_file(content):
+    fold = content.replace("\\\n", " ")
+    all_lines = [*fold.split("\n"), ""]
+    keep_lines = (line for line in all_lines if not DROP_RE.match(line))
+    fin = ""
+    for line, peek in pairwise(keep_lines):
+        if peek == "" and line == "":
+            # Drop adjacent empty lines
+            continue
+        yield line
+        fin = peek
+    yield fin
+
+
+def update_bindings():
+    header_file = HERE.parent.parent.parent / "src/mongocrypt.h"
+    with header_file.open(encoding="utf-8") as fp:
+        header_lines = strip_file(fp.read())
+
+    target = HERE.parent / "pymongocrypt/binding.py"
+    source_lines = target.read_text().splitlines()
+    new_lines = []
+    skip = False
+    for line in source_lines:
+        if not skip:
+            new_lines.append(line)
+        if line.strip() == "# Start embedding from update_binding.py":
+            skip = True
+            new_lines.append("ffi.cdef(")
+            new_lines.append('"""')
+            new_lines.extend(header_lines)
+        if line.strip() == "# End embedding from update_binding.py":
+            new_lines.append('"""')
+            new_lines.append(")")
+            new_lines.append(line)
+            skip = False
+    with target.open("w") as f:
+        f.write("\n".join(new_lines))
+
+
+if __name__ == "__main__":
+    update_bindings()

data/ext/libmongocrypt/libmongocrypt/bindings/python/test/test_mongocrypt.py

@@ -143,6 +143,11 @@ class TestMongoCryptOptions(unittest.TestCase):
         )
         self.assertEqual(opts.encrypted_fields_map, encrypted_fields_map)
         self.assertTrue(opts.bypass_query_analysis)
+        for expiration in [0, 1, 1000000]:
+            opts = MongoCryptOptions(
+                valid[0][0], schema_map, key_expiration_ms=expiration
+            )
+            self.assertEqual(opts.key_expiration_ms, expiration)
 
     def test_mongocrypt_options_validation(self):
         with self.assertRaisesRegex(
@@ -192,6 +197,12 @@ class TestMongoCryptOptions(unittest.TestCase):
             TypeError, "encrypted_fields_map must be bytes or None"
         ):
             MongoCryptOptions(valid_kms, encrypted_fields_map={})
+        with self.assertRaisesRegex(TypeError, "key_expiration_ms must be int or None"):
+            MongoCryptOptions(valid_kms, key_expiration_ms="123")
+        with self.assertRaisesRegex(
+            ValueError, "key_expiration_ms must be >=0 or None"
+        ):
+            MongoCryptOptions(valid_kms, key_expiration_ms=-1)
 
 
 class TestMongoCrypt(unittest.TestCase):
@@ -507,6 +518,8 @@ class TestMongoCryptCallback(unittest.TestCase):
         os.getenv("TEST_CRYPT_SHARED"), "this test requires TEST_CRYPT_SHARED=1"
     )
     def test_crypt_shared(self):
+        if sys.platform == "darwin":
+            raise unittest.SkipTest("Skipping due to SERVER-101020")
         kms_providers = {
             "aws": {"accessKeyId": "example", "secretAccessKey": "example"},
             "local": {"key": b"\x00" * 96},
@@ -638,6 +651,8 @@ if sys.version_info >= (3, 8, 0):  # noqa: UP036
             os.getenv("TEST_CRYPT_SHARED"), "this test requires TEST_CRYPT_SHARED=1"
         )
         async def test_crypt_shared(self):
+            if sys.platform == "darwin":
+                raise unittest.SkipTest("Skipping due to SERVER-101020")
             kms_providers = {
                 "aws": {"accessKeyId": "example", "secretAccessKey": "example"},
                 "local": {"key": b"\x00" * 96},

data/ext/libmongocrypt/libmongocrypt/doc/releasing.md

@@ -19,7 +19,7 @@ Go to [Snyk](https://app.snyk.io/) and select the `dev-prod` organization. If ac
 
 ##### Update Snyk
 
-Update the Snyk reference target tracking the to-be-released branch. For a patch release (e.g. x.y.z), check-out the `rx.y` branch and update the `rx.y` reference target. For a minor release (e.g. x.y.0), check out the `master` branch update the `master` reference target.
+Update the Snyk reference target tracking the to-be-released branch. For a patch release (e.g. x.y.z), check-out the `rx.y` branch and update the `rx.y` reference target. For a non-patch release (e.g. x.y.0), check out the `master` branch and update the `master` reference target.
 
 Run `cmake` to ensure generated source files are present:
 ```bash
@@ -61,14 +61,14 @@ Check the contents of the "vulnerabilities" field (if present) in the Augmented
 
 Do the following when releasing:
 - If this is a feature release (e.g. `x.y.0` or `x.0.0`), follow these steps: [Creating SSDLC static analysis reports](https://docs.google.com/document/d/1rkFL8ymbkc0k8Apky9w5pTPbvKRm68wj17mPJt2_0yo/edit).
-- Check out the release branch. For a release `x.y.z`, the release branch is `rx.y`. If this is a new minor release (`x.y.0`), create the release branch.
+- Check out the release branch. For a release `x.y.z`, the release branch is `rx.y`. If this is a new non-patch release (`x.y.0`), create the release branch.
 - Update CHANGELOG.md with the version being released.
 - Ensure `etc/purls.txt` is up-to-date.
 - Update `etc/third_party_vulnerabilities.md` with any updates to new or known vulnerabilities for third party dependencies that must be reported.
-- If this is a new minor release (e.g. `x.y.0`):
+- If this is a new non-patch release (e.g. `x.y.0`):
    - Update the Linux distribution package installation instructions in [README.md](../README.md) to refer to the new version `x.y`.
    - Update the [libmongocrypt-release](https://spruce.mongodb.com/project/libmongocrypt-release/settings/general) Evergreen project (requires auth) to set `Branch Name` to `rx.y`.
-- Commit the changes on the `rx.y` branch with a message like "Update CHANGELOG.md for x.y.z".
+- Commit the changes on the `rx.y` branch with a message like "Release x.y.z".
 - Tag the commit with `git tag -a <tag>`.
    - Push both the branch ref and tag ref in the same command: `git push origin master 1.8.0-alpha0` or `git push origin r1.8 1.8.4`
    - Pushing the branch ref and the tag ref in the same command eliminates the possibility of a race condition in Evergreen (for building resources based on the presence of a release tag)
@@ -77,20 +77,20 @@ Do the following when releasing:
    - `upload-all`
    - `windows-upload-release`
    - All `publish-packages` tasks.
-      - If the `publish-packages` tasks fail with an error like `[curator] 2024/01/02 13:56:17 [p=emergency]: problem submitting repobuilder job: 404 (Not Found)`, this suggests the published path does not yet exist. Barque (the Linux package publishing service) has protection to avoid unintentional publishes. File a DEVPROD ticket ([example](https://jira.mongodb.org/browse/DEVPROD-4053)) and assign to the team called Release Infrastructure to request the path be created. Then re-run the failing `publish-packages` task. Ask in the slack channel `#devprod-release-tools` for further help with `Barque` or `curator`.
+      - If the `publish-packages` tasks fail with an error like `[curator] 2024/01/02 13:56:17 [p=emergency]: problem submitting repobuilder job: 404 (Not Found)`, this suggests the published path does not yet exist. Barque (the Linux package publishing service) has protection to avoid unintentional publishes. File a DEVPROD ticket ([example](https://jira.mongodb.org/browse/DEVPROD-15320)) and assign to the team called Release Infrastructure to request the path be created. Then re-run the failing `publish-packages` task. Ask in the slack channel `#ask-devprod-release-tools` for further help with `Barque` or `curator`.
 - Create the release from the GitHub releases page from the new tag.
-   - Attach the tarball and signature file from the Files tab of the `windows-upload-release` task. [Example](https://github.com/mongodb/libmongocrypt/releases/tag/1.10.0).
+   - Attach the tarball and signature file from the Files tab of the `windows-upload-release` task. [Example](https://github.com/mongodb/libmongocrypt/releases/tag/1.13.0).
    - Attach the Augmented SBOM file to the release as `cyclonedx.augmented.sbom.json`.
      Download the Augmented SBOM from a recent execution of the `sbom` task in an Evergreen patch or commit build.
    - Attach `etc/third_party_vulnerabilities.md` to the release.
    - Attach `etc/ssdlc_compliance_report.md` to the release.
-
-- If this is a new minor release (e.g. `x.y.0`):
-   - File a DOCSP ticket to update the installation instructions on [Install libmongocrypt](https://www.mongodb.com/docs/manual/core/csfle/reference/libmongocrypt/). ([Example](https://jira.mongodb.org/browse/DOCSP-36863))
-   - Generate a new unique SBOM serial number for the next release:
-     ```bash
-     ./.evergreen/earthly.sh +sbom-generate-new-serial-number
-     ```
+- Check out the release branch (`rx.y`). Generate a new unique SBOM serial number for the next upcoming patch release (e.g. for `1.13.1` following the release of `1.13.0`):
+   ```bash
+   ./.evergreen/earthly.sh +sbom-generate-new-serial-number
+   ```
+   Commit resulting `etc/cyclonedx.sbom.json` and push to `rx.y`.
+- If this is a new non-patch release (e.g. `x.y.0`):
+   - File a DOCSP ticket to update the installation instructions on [Install libmongocrypt](https://www.mongodb.com/docs/manual/core/csfle/reference/libmongocrypt/). ([Example](https://jira.mongodb.org/browse/DOCSP-47954))
    - Create a new Snyk reference target. The following instructions use the example branch `rx.y`:
 
      Run `cmake` to ensure generated source files are present:
@@ -118,20 +118,27 @@ Do the following when releasing:
      - Navigate to the [Webhook Settings](https://github.com/mongodb/libmongocrypt/settings/hooks).
      - Click `Edit` on the hook for `https://githook.mongodb.com/`.
      - Add the new release branch to the `Payload URL`. Remove unmaintained release branches.
-- Make a PR to apply the "Update CHANGELOG.md for x.y.z" commit to the `master` branch.
+- Make a PR to to the `master` branch:
+   - Apply changes from the "Release x.y.z" commit.
+   - If this was a non-patch release (e.g. `x.y.0`), generate a new unique SBOM serial number for the next upcoming non-patch release (e.g. for `1.14.0` following the release of `1.13.0`):
+     ```bash
+     ./.evergreen/earthly.sh +sbom-generate-new-serial-number
+     ```
+     Commit resulting `etc/cyclonedx.sbom.json`.
 - Update the release on the [Jira releases page](https://jira.mongodb.org/projects/MONGOCRYPT/versions).
 - Record the release on [C/C++ Release Info](https://docs.google.com/spreadsheets/d/1yHfGmDnbA5-Qt8FX4tKWC5xk9AhzYZx1SKF4AD36ecY/edit?usp=sharing). This is done to meet SSDLC reporting requirements.
 - Add a link to the Evergreen waterfall for the tagged commit to [libmongocrypt Security Testing Summary](https://docs.google.com/document/d/1dc7uvBzu3okAIsA8LSW5sVQGkYIvwpBVdg5v4wb4c4s/edit#heading=h.5t79jwe4p0ss).
 
 ## Homebrew steps ##
-Submit a PR to update the Homebrew package https://github.com/mongodb/homebrew-brew/blob/master/Formula/libmongocrypt.rb. ([Example](https://github.com/mongodb/homebrew-brew/pull/208)). If not on macOS, request a team member to do this step.
+Submit a PR to update the Homebrew package https://github.com/mongodb/homebrew-brew/blob/master/Formula/libmongocrypt.rb. ([Example](https://github.com/mongodb/homebrew-brew/pull/234)). If not on macOS, request a team member to do this step.
+Request review by posting in #ask-devprod-build.
 
 ## Debian steps ##
 If you are not a Debian maintainer on the team, request a team member to do the steps in this section.
 
 Refer to the [Debian](https://github.com/mongodb/mongo-c-driver/blob/master/docs/dev/debian.rst) steps.
 
-For a minor release (e.g. x.y.0), submit a merge request to the [extrepo-data](https://salsa.debian.org/extrepo-team/extrepo-data) project in Debian to update the PPA. The change would look something like this:
+For a non-patch release (e.g. x.y.0), submit a merge request to the [extrepo-data](https://salsa.debian.org/extrepo-team/extrepo-data) project in Debian to update the PPA. The change would look something like this:
 
 ```
 diff --git a/repos/debian/libmongocrypt.yaml b/repos/debian/libmongocrypt.yaml
@@ -142,8 +149,8 @@ index 609dc0b..f7530a9 100644
    source:
      Types: deb
      URIs: https://libmongocrypt.s3.amazonaws.com/apt/debian
--    Suites: <SUITE>/libmongocrypt/1.11
-+    Suites: <SUITE>/libmongocrypt/1.12
+-    Suites: <SUITE>/libmongocrypt/1.12
++    Suites: <SUITE>/libmongocrypt/1.13
      Components: main
      Architectures: amd64 arm64
    suites:

data/ext/libmongocrypt/libmongocrypt/etc/calc_release_version.py

@@ -38,19 +38,45 @@ import datetime
 import re
 import subprocess
 import sys
-try:
-    # Prefer newer `packaging` over deprecated packages.
-    from packaging.version import Version as Version
-    from packaging.version import parse as parse_version
-except ImportError:
-    # Fallback to deprecated pkg_resources.
-    try:
-        from pkg_resources.extern.packaging.version import Version
-        from pkg_resources import parse_version
-    except ImportError:
-        # Fallback to deprecated distutils.
-        from distutils.version import LooseVersion as Version
-        from distutils.version import LooseVersion as parse_version
+
+class Version:
+    def __init__(self, s):
+        pat = r'(\d+)\.(\d+)\.(\d+)(\-\S+)?'
+        match = re.match(pat, s)
+        assert match, "Unrecognized version string %s" % s
+        self.major, self.minor, self.micro = (
+            map(int, (match.group(1), match.group(2), match.group(3))))
+
+        if match.group(4):
+            self.prerelease = match.group(4)[1:]
+        else:
+            self.prerelease = ''
+
+    def __lt__(self, other):
+        if self.major != other.major:
+            return self.major < other.major
+        if self.minor != other.minor:
+            return self.minor < other.minor
+        if self.micro != other.micro:
+            return self.micro < other.micro
+        if self.prerelease != other.prerelease:
+            if self.prerelease != '' and other.prerelease == '':
+                # Consider a prerelease less than non-prerelease.
+                return True
+            # For simplicity, compare prerelease versions lexicographically.
+            return self.prerelease < other.prerelease
+
+        # Versions are equal.
+        return False
+
+    def __eq__(self, other):
+        self_tuple = self.major, self.minor, self.micro, self.prerelease
+        other_tuple = other.major, other.minor, other.micro, other.prerelease
+        return self_tuple == other_tuple
+
+
+def parse_version(ver):
+    return Version(ver)
 
 DEBUG = len(sys.argv) > 1 and '-d' in sys.argv
 if DEBUG:

data/ext/libmongocrypt/libmongocrypt/etc/calc_release_version_selftest.sh

@@ -66,7 +66,7 @@ echo "Test next minor version ... begin"
     # failed, then it is probably because a new major/minor release was made.
     # Update the expected output to represent the correct next version.
     # XXX NOTE XXX NOTE XXX
-    assert_eq "$got" "1.9.0-$DATE+git$CURRENT_SHORTREF"
+    assert_eq "$got" "1.14.0-$DATE+git$CURRENT_SHORTREF"
 }
 echo "Test next minor version ... end"
 

data/ext/libmongocrypt/libmongocrypt/etc/cyclonedx.sbom.json

@@ -57,7 +57,7 @@
     }
   ],
   "metadata": {
-    "timestamp": "2025-04-08T13:06:37.750496+00:00",
+    "timestamp": "2025-04-08T15:21:23.237097+00:00",
     "tools": [
       {
         "externalReferences": [
@@ -100,7 +100,7 @@
       }
     ]
   },
-  "serialNumber": "urn:uuid:1eeadd7e-be33-4e55-960c-02bac1da4cf7",
+  "serialNumber": "urn:uuid:9e8a6b86-64aa-4438-bd54-80fd66afce96",
   "version": 1,
   "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",

data/ext/libmongocrypt/libmongocrypt/kms-message/CMakeLists.txt

@@ -4,7 +4,7 @@ project (kms_message
    LANGUAGES C
 )
 
-set (CMAKE_C_STANDARD 90)
+set (CMAKE_C_STANDARD 99)
 
 include (CheckCCompilerFlag)
 # All targets obey visibility, not just library targets.

data/ext/libmongocrypt/libmongocrypt/kms-message/src/hexlify.c

@@ -14,7 +14,12 @@
  * limitations under the License.
  */
 
+#include "hexlify.h"
+
+//
+
 #include "kms_message_private.h"
+
 #include <stdint.h>
 #include <stdio.h>
 #include <stdlib.h>

data/ext/libmongocrypt/libmongocrypt/kms-message/src/hexlify.h

@@ -21,4 +21,4 @@ char *
 hexlify (const uint8_t *buf, size_t len);
 
 int
-unhexlify (const char *in, size_t len);
+unhexlify (const char *in, size_t len);

data/ext/libmongocrypt/libmongocrypt/kms-message/src/kms_azure_request.c

@@ -216,4 +216,4 @@ kms_azure_request_unwrapkey_new (const char *host,
                                ciphertext,
                                ciphertext_len,
                                opt);
-}
+}

data/ext/libmongocrypt/libmongocrypt/kms-message/src/kms_gcp_request.c

@@ -283,4 +283,4 @@ kms_gcp_request_decrypt_new (const char *host,
                                    ciphertext,
                                    ciphertext_len,
                                    opt);
-}
+}

data/ext/libmongocrypt/libmongocrypt/kms-message/src/kms_kmip_reader_writer.c

@@ -279,7 +279,8 @@ kmip_reader_has_data (kmip_reader_t *reader)
 #define CHECK_REMAINING_BUFFER_AND_RET(read_size)   \
    if ((reader->pos + (read_size)) > reader->len) { \
       return false;                                 \
-   }
+   } else                                           \
+      ((void)0)
 
 bool
 kmip_reader_read_u8 (kmip_reader_t *reader, uint8_t *value)
@@ -346,7 +347,8 @@ kmip_reader_read_bytes (kmip_reader_t *reader, uint8_t **ptr, size_t length)
 #define CHECK_AND_RET(x) \
    if (!(x)) {           \
       return false;      \
-   }
+   } else                \
+      ((void)0)
 
 bool
 kmip_reader_read_tag (kmip_reader_t *reader, kmip_tag_type_t *tag)

data/ext/libmongocrypt/libmongocrypt/kms-message/src/kms_kmip_request.c

@@ -83,7 +83,7 @@ kms_kmip_request_register_secretdata_new (void *reserved,
 
    if (len != KMS_KMIP_REQUEST_SECRETDATA_LENGTH) {
       KMS_ERROR (req,
-                 "expected SecretData length of %d, got %" PRIu32,
+                 "expected SecretData length of %d, got %zu",
                  KMS_KMIP_REQUEST_SECRETDATA_LENGTH,
                  len);
       return req;
@@ -463,4 +463,3 @@ kms_kmip_request_decrypt_new (void *reserved, const char* unique_identifer, cons
    */
    return kmip_encrypt_decrypt(unique_identifer, ciphertext, len, iv_data, iv_len, false);
 }
-

data/ext/libmongocrypt/libmongocrypt/kms-message/src/kms_message_private.h

@@ -124,6 +124,9 @@ struct _kms_response_parser_t {
       }                      \
    } while (0)
 
+#ifdef __GNUC__
+__attribute__((format(__printf__, 3, 4)))
+#endif
 void
 kms_set_error (char *error, size_t size, const char *fmt, ...);
 
@@ -137,6 +140,7 @@ kms_set_error (char *error, size_t size, const char *fmt, ...);
    if (!(stmt)) {                             \
       fprintf (stderr, "%s failed\n", #stmt); \
       abort ();                               \
-   }
+   } else                                     \
+       ((void)0)
 
 #endif /* KMS_MESSAGE_PRIVATE_H */

data/ext/libmongocrypt/libmongocrypt/kms-message/src/kms_request.c

@@ -744,7 +744,7 @@ done:
    return kms_request_str_detach (sig);
 }
 
-void
+static void
 kms_request_validate (kms_request_t *request)
 {
    if (!check_and_prohibit_kmip (request)) {

data/ext/libmongocrypt/libmongocrypt/kms-message/src/kms_request_opt.c

@@ -85,4 +85,4 @@ kms_request_opt_set_crypto_hook_sign_rsaes_pkcs1_v1_5 (
 {
    opt->crypto.sign_rsaes_pkcs1_v1_5 = sign_rsaes_pkcs1_v1_5;
    opt->crypto.sign_ctx = sign_ctx;
-}
+}

data/ext/libmongocrypt/libmongocrypt/kms-message/src/kms_request_str.c

@@ -27,8 +27,8 @@
 #include <stdlib.h>
 #include <limits.h> /* CHAR_BIT */
 
-bool rfc_3986_tab[256] = {0};
-bool kms_initialized = false;
+static bool rfc_3986_tab[256] = {0};
+static bool kms_initialized = false;
 
 static void
 tables_init (void)
@@ -126,12 +126,6 @@ kms_request_str_detach (kms_request_str_t *str)
    return r;
 }
 
-const char *
-kms_request_str_get (kms_request_str_t *str)
-{
-   return str->str;
-}
-
 bool
 kms_request_str_reserve (kms_request_str_t *str, size_t size)
 {

data/ext/libmongocrypt/libmongocrypt/kms-message/src/kms_request_str.h

@@ -64,10 +64,19 @@ kms_request_str_append_newline (kms_request_str_t *str);
 KMS_MSG_EXPORT (void)
 kms_request_str_append_lowercase (kms_request_str_t *str,
                                   kms_request_str_t *appended);
+
+#ifdef __GNUC__
+__attribute__((format(__printf__, 2, 3)))
+#endif
 KMS_MSG_EXPORT (void)
 kms_request_str_appendf (kms_request_str_t *str, const char *format, ...);
+
+#ifdef __GNUC__
+__attribute__((format(__printf__, 2, 3)))
+#endif
 KMS_MSG_EXPORT (void)
 kms_request_strdupf (kms_request_str_t *str, const char *format, ...);
+
 KMS_MSG_EXPORT (void)
 kms_request_str_append_escaped (kms_request_str_t *str,
                                 kms_request_str_t *appended,

data/ext/libmongocrypt/libmongocrypt/kms-message/src/kms_response_parser.c

@@ -81,7 +81,6 @@ kms_response_parser_wants_bytes (kms_response_parser_t *parser, int32_t max)
    default:
       KMS_ASSERT (false && "Invalid kms_response_parser HTTP state");
    }
-   return -1;
 }
 
 static bool

data/ext/libmongocrypt/libmongocrypt/kms-message/src/sort.c

@@ -37,6 +37,10 @@
  * https://github.com/freebsd/freebsd/blob/e7c6cef9514d3bb1f14a30a5ee871231523e43db/lib/libc/stdlib/merge.c
  */
 
+#include "sort.h"
+
+//
+
 #include <stddef.h>
 
 /*
@@ -44,10 +48,9 @@
  * last 4 elements.
  */
 
-typedef int (*cmp_t) (const void *, const void *);
 #define CMP(x, y) cmp (x, y)
 #define swap(a, b)   \
-   {                 \
+   if (1) {          \
       s = b;         \
       i = size;      \
       do {           \
@@ -56,7 +59,8 @@ typedef int (*cmp_t) (const void *, const void *);
          *s++ = tmp; \
       } while (--i); \
       a -= size;     \
-   }
+   } else            \
+      ((void)0)
 
 void
 insertionsort (unsigned char *a, size_t n, size_t size, cmp_t cmp)

data/ext/libmongocrypt/libmongocrypt/kms-message/src/sort.h

@@ -15,6 +15,8 @@
  * limitations under the License.
  */
 
+#include <stddef.h>
+
 typedef int (*cmp_t) (const void *, const void *);
 
 void

data/ext/libmongocrypt/libmongocrypt/kms-message/test/test_kmip_reader_writer.c

@@ -6,7 +6,7 @@
  * You may obtain a copy of the License at
  *
  *   http://www.apache.org/licenses/LICENSE-2.0
- *
+
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@@ -54,6 +54,7 @@ kms_kmip_writer_test_evaluate (kmip_writer_t *writer,
    free (expected_hex);
 }
 
+void kms_kmip_writer_test (void); // -Wmissing-prototypes: for testing only.
 void
 kms_kmip_writer_test (void)
 {
@@ -140,6 +141,7 @@ kms_kmip_writer_test (void)
    kmip_writer_destroy (writer);
 }
 
+void kms_kmip_reader_test (void); // -Wmissing-prototypes: for testing only.
 void
 kms_kmip_reader_test (void)
 {
@@ -312,6 +314,7 @@ kms_kmip_reader_test (void)
    free (data);
 }
 
+void kms_kmip_reader_negative_int_test (void); // -Wmissing-prototypes: for testing only.
 void
 kms_kmip_reader_negative_int_test (void)
 {
@@ -356,6 +359,7 @@ kms_kmip_reader_negative_int_test (void)
    free (data);
 }
 
+void kms_kmip_reader_find_test (void); // -Wmissing-prototypes: for testing only.
 void
 kms_kmip_reader_find_test (void)
 {
@@ -404,6 +408,7 @@ kms_kmip_reader_find_test (void)
    free (data);
 }
 
+void kms_kmip_reader_find_and_recurse_test (void); // -Wmissing-prototypes: for testing only.
 void
 kms_kmip_reader_find_and_recurse_test (void)
 {
@@ -438,6 +443,7 @@ kms_kmip_reader_find_and_recurse_test (void)
    free (data);
 }
 
+void kms_kmip_reader_find_and_read_enum_test (void); // -Wmissing-prototypes: for testing only.
 void
 kms_kmip_reader_find_and_read_enum_test (void)
 {
@@ -470,6 +476,7 @@ kms_kmip_reader_find_and_read_enum_test (void)
    free (data);
 }
 
+void kms_kmip_reader_find_and_read_bytes_test (void); // -Wmissing-prototypes: for testing only.
 void
 kms_kmip_reader_find_and_read_bytes_test (void)
 {

data/ext/libmongocrypt/libmongocrypt/kms-message/test/test_kms_assert.h

@@ -44,7 +44,7 @@
 #define TEST_ERROR(...)                                                \
    do {                                                                \
       TEST_STDERR_PRINTF (                                             \
-         "test error %s:%d %s(): ", __FILE__, __LINE__, __FUNCTION__); \
+         "test error %s:%d %s(): ", __FILE__, __LINE__, __func__); \
       TEST_STDERR_PRINTF (__VA_ARGS__);                                \
       TEST_STDERR_PRINTF ("\n");                                       \
       abort ();                                                        \
@@ -53,7 +53,8 @@
 #define ASSERT(stmt)                             \
    if (!(stmt)) {                                \
       TEST_ERROR ("statement failed %s", #stmt); \
-   }
+   } else                                        \
+      ((void)0)
 
 #define ASSERT_CMPSTR_WITH_LEN(_expect, _expect_len, _actual, _actual_len)     \
    do {                                                                        \
@@ -98,7 +99,7 @@
          TEST_ERROR (                                                   \
             "comparison failed: %d %s %d", _a_int, #_operator, _b_int); \
       }                                                                 \
-   } while (0);
+   } while (0)
 
 #define ASSERT_CMPBYTES(                                                \
    expected_bytes, expected_len, actual_bytes, actual_len)              \
@@ -161,4 +162,4 @@
       ASSERT_CONTAINS (_error_str, expect_substring);              \
    } while (0)
 
-#endif /* TEST_KMS_ASSERT_H */
+#endif /* TEST_KMS_ASSERT_H */

data/ext/libmongocrypt/libmongocrypt/kms-message/test/test_kms_azure_online.c

@@ -257,4 +257,4 @@ main (int argc, char **argv)
    kms_message_init ();
    test_azure_wrapkey ();
    return 0;
-}
+}