libmongocrypt-helper 1.13.2.0.1001 → 1.14.0.0.1001

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (250) hide show
  1. checksums.yaml +4 -4
  2. data/ext/libmongocrypt/libmongocrypt/CHANGELOG.md +8 -0
  3. data/ext/libmongocrypt/libmongocrypt/CMakeLists.txt +5 -1
  4. data/ext/libmongocrypt/libmongocrypt/CODEOWNERS +4 -1
  5. data/ext/libmongocrypt/libmongocrypt/Earthfile +18 -17
  6. data/ext/libmongocrypt/libmongocrypt/README.md +8 -8
  7. data/ext/libmongocrypt/libmongocrypt/bindings/python/CHANGELOG.rst +7 -0
  8. data/ext/libmongocrypt/libmongocrypt/bindings/python/CONTRIBUTING.md +34 -0
  9. data/ext/libmongocrypt/libmongocrypt/bindings/python/pymongocrypt/asynchronous/state_machine.py +6 -2
  10. data/ext/libmongocrypt/libmongocrypt/bindings/python/pymongocrypt/binding.py +18 -2
  11. data/ext/libmongocrypt/libmongocrypt/bindings/python/pymongocrypt/mongocrypt.py +9 -1
  12. data/ext/libmongocrypt/libmongocrypt/bindings/python/pymongocrypt/options.py +14 -0
  13. data/ext/libmongocrypt/libmongocrypt/bindings/python/pymongocrypt/synchronous/state_machine.py +6 -2
  14. data/ext/libmongocrypt/libmongocrypt/bindings/python/pymongocrypt/version.py +1 -1
  15. data/ext/libmongocrypt/libmongocrypt/bindings/python/sbom.json +8 -8
  16. data/ext/libmongocrypt/libmongocrypt/bindings/python/scripts/libmongocrypt-version.txt +1 -0
  17. data/ext/libmongocrypt/libmongocrypt/bindings/python/{release.sh → scripts/release.sh} +9 -3
  18. data/ext/libmongocrypt/libmongocrypt/bindings/python/{synchro.py → scripts/synchro.py} +16 -9
  19. data/ext/libmongocrypt/libmongocrypt/bindings/python/scripts/synchro.sh +8 -0
  20. data/ext/libmongocrypt/libmongocrypt/bindings/python/scripts/update-version.sh +27 -0
  21. data/ext/libmongocrypt/libmongocrypt/bindings/python/scripts/update_binding.py +78 -0
  22. data/ext/libmongocrypt/libmongocrypt/bindings/python/test/test_mongocrypt.py +15 -0
  23. data/ext/libmongocrypt/libmongocrypt/doc/releasing.md +25 -18
  24. data/ext/libmongocrypt/libmongocrypt/etc/calc_release_version.py +39 -13
  25. data/ext/libmongocrypt/libmongocrypt/etc/calc_release_version_selftest.sh +1 -1
  26. data/ext/libmongocrypt/libmongocrypt/etc/cyclonedx.sbom.json +2 -2
  27. data/ext/libmongocrypt/libmongocrypt/kms-message/CMakeLists.txt +1 -1
  28. data/ext/libmongocrypt/libmongocrypt/kms-message/src/hexlify.c +5 -0
  29. data/ext/libmongocrypt/libmongocrypt/kms-message/src/hexlify.h +1 -1
  30. data/ext/libmongocrypt/libmongocrypt/kms-message/src/kms_azure_request.c +1 -1
  31. data/ext/libmongocrypt/libmongocrypt/kms-message/src/kms_gcp_request.c +1 -1
  32. data/ext/libmongocrypt/libmongocrypt/kms-message/src/kms_kmip_reader_writer.c +4 -2
  33. data/ext/libmongocrypt/libmongocrypt/kms-message/src/kms_kmip_request.c +1 -2
  34. data/ext/libmongocrypt/libmongocrypt/kms-message/src/kms_message_private.h +5 -1
  35. data/ext/libmongocrypt/libmongocrypt/kms-message/src/kms_request.c +1 -1
  36. data/ext/libmongocrypt/libmongocrypt/kms-message/src/kms_request_opt.c +1 -1
  37. data/ext/libmongocrypt/libmongocrypt/kms-message/src/kms_request_str.c +2 -8
  38. data/ext/libmongocrypt/libmongocrypt/kms-message/src/kms_request_str.h +9 -0
  39. data/ext/libmongocrypt/libmongocrypt/kms-message/src/kms_response_parser.c +0 -1
  40. data/ext/libmongocrypt/libmongocrypt/kms-message/src/sort.c +7 -3
  41. data/ext/libmongocrypt/libmongocrypt/kms-message/src/sort.h +2 -0
  42. data/ext/libmongocrypt/libmongocrypt/kms-message/test/test_kmip_reader_writer.c +8 -1
  43. data/ext/libmongocrypt/libmongocrypt/kms-message/test/test_kms_assert.h +5 -4
  44. data/ext/libmongocrypt/libmongocrypt/kms-message/test/test_kms_azure_online.c +1 -1
  45. data/ext/libmongocrypt/libmongocrypt/kms-message/test/test_kms_gcp_online.c +1 -1
  46. data/ext/libmongocrypt/libmongocrypt/kms-message/test/test_kms_kmip_request.c +4 -0
  47. data/ext/libmongocrypt/libmongocrypt/kms-message/test/test_kms_kmip_response.c +3 -0
  48. data/ext/libmongocrypt/libmongocrypt/kms-message/test/test_kms_kmip_response_parser.c +4 -0
  49. data/ext/libmongocrypt/libmongocrypt/kms-message/test/test_kms_online_util.c +1 -1
  50. data/ext/libmongocrypt/libmongocrypt/kms-message/test/test_kms_online_util.h +1 -1
  51. data/ext/libmongocrypt/libmongocrypt/kms-message/test/test_kms_request.c +39 -39
  52. data/ext/libmongocrypt/libmongocrypt/src/crypto/libcrypto.c +235 -65
  53. data/ext/libmongocrypt/libmongocrypt/src/crypto/none.c +1 -1
  54. data/ext/libmongocrypt/libmongocrypt/src/csfle-markup.cpp +4 -2
  55. data/ext/libmongocrypt/libmongocrypt/src/mc-dec128.h +2 -2
  56. data/ext/libmongocrypt/libmongocrypt/src/mc-dec128.test.cpp +2 -2
  57. data/ext/libmongocrypt/libmongocrypt/src/mc-efc-private.h +1 -4
  58. data/ext/libmongocrypt/libmongocrypt/src/mc-efc.c +9 -11
  59. data/ext/libmongocrypt/libmongocrypt/src/mc-fle-blob-subtype-private.h +1 -0
  60. data/ext/libmongocrypt/libmongocrypt/src/mc-fle2-encryption-placeholder-private.h +10 -8
  61. data/ext/libmongocrypt/libmongocrypt/src/mc-fle2-encryption-placeholder.c +167 -176
  62. data/ext/libmongocrypt/libmongocrypt/src/mc-fle2-find-equality-payload-v2.c +6 -17
  63. data/ext/libmongocrypt/libmongocrypt/src/mc-fle2-find-equality-payload.c +6 -17
  64. data/ext/libmongocrypt/libmongocrypt/src/mc-fle2-find-range-payload-private-v2.h +1 -1
  65. data/ext/libmongocrypt/libmongocrypt/src/mc-fle2-find-range-payload-v2.c +25 -26
  66. data/ext/libmongocrypt/libmongocrypt/src/mc-fle2-find-range-payload.c +2 -1
  67. data/ext/libmongocrypt/libmongocrypt/src/mc-fle2-find-text-payload-private.h +122 -0
  68. data/ext/libmongocrypt/libmongocrypt/src/mc-fle2-find-text-payload.c +477 -0
  69. data/ext/libmongocrypt/libmongocrypt/src/mc-fle2-insert-update-payload-private-v2.h +1 -3
  70. data/ext/libmongocrypt/libmongocrypt/src/mc-fle2-insert-update-payload-v2.c +28 -43
  71. data/ext/libmongocrypt/libmongocrypt/src/mc-fle2-insert-update-payload.c +6 -17
  72. data/ext/libmongocrypt/libmongocrypt/src/mc-fle2-payload-iev-v2.c +6 -5
  73. data/ext/libmongocrypt/libmongocrypt/src/mc-fle2-payload-iev.c +13 -10
  74. data/ext/libmongocrypt/libmongocrypt/src/mc-fle2-payload-uev-common.c +3 -2
  75. data/ext/libmongocrypt/libmongocrypt/src/mc-fle2-rfds.c +7 -6
  76. data/ext/libmongocrypt/libmongocrypt/src/mc-fle2-tag-and-encrypted-metadata-block.c +4 -3
  77. data/ext/libmongocrypt/libmongocrypt/src/mc-optional-private.h +1 -1
  78. data/ext/libmongocrypt/libmongocrypt/src/mc-parse-utils-private.h +27 -0
  79. data/ext/libmongocrypt/libmongocrypt/src/mc-parse-utils.c +48 -0
  80. data/ext/libmongocrypt/libmongocrypt/src/mc-range-edge-generation-private.h +5 -5
  81. data/ext/libmongocrypt/libmongocrypt/src/mc-range-edge-generation.c +15 -20
  82. data/ext/libmongocrypt/libmongocrypt/src/mc-range-encoding-private.h +4 -6
  83. data/ext/libmongocrypt/libmongocrypt/src/mc-range-encoding.c +9 -18
  84. data/ext/libmongocrypt/libmongocrypt/src/mc-range-mincover-generator.template.h +4 -5
  85. data/ext/libmongocrypt/libmongocrypt/src/mc-range-mincover-private.h +5 -9
  86. data/ext/libmongocrypt/libmongocrypt/src/mc-range-mincover.c +14 -19
  87. data/ext/libmongocrypt/libmongocrypt/src/mc-rangeopts-private.h +2 -4
  88. data/ext/libmongocrypt/libmongocrypt/src/mc-rangeopts.c +109 -119
  89. data/ext/libmongocrypt/libmongocrypt/src/mc-reader-private.h +2 -2
  90. data/ext/libmongocrypt/libmongocrypt/src/mc-reader.c +4 -2
  91. data/ext/libmongocrypt/libmongocrypt/src/mc-schema-broker-private.h +0 -3
  92. data/ext/libmongocrypt/libmongocrypt/src/mc-schema-broker.c +4 -14
  93. data/ext/libmongocrypt/libmongocrypt/src/mc-str-encode-string-sets-private.h +1 -1
  94. data/ext/libmongocrypt/libmongocrypt/src/mc-str-encode-string-sets.c +3 -3
  95. data/ext/libmongocrypt/libmongocrypt/src/mc-text-search-str-encode-private.h +8 -1
  96. data/ext/libmongocrypt/libmongocrypt/src/mc-text-search-str-encode.c +78 -2
  97. data/ext/libmongocrypt/libmongocrypt/src/mc-tokens-private.h +34 -16
  98. data/ext/libmongocrypt/libmongocrypt/src/mc-tokens.c +66 -74
  99. data/ext/libmongocrypt/libmongocrypt/src/mc-writer-private.h +1 -1
  100. data/ext/libmongocrypt/libmongocrypt/src/mc-writer.c +4 -2
  101. data/ext/libmongocrypt/libmongocrypt/src/mlib/error.h +1 -1
  102. data/ext/libmongocrypt/libmongocrypt/src/mlib/int128.h +12 -1
  103. data/ext/libmongocrypt/libmongocrypt/src/mlib/int128.test.cpp +5 -0
  104. data/ext/libmongocrypt/libmongocrypt/src/mlib/path.h +5 -5
  105. data/ext/libmongocrypt/libmongocrypt/src/mlib/path.test.c +2 -5
  106. data/ext/libmongocrypt/libmongocrypt/src/mlib/str.h +65 -58
  107. data/ext/libmongocrypt/libmongocrypt/src/mlib/str.test.c +3 -3
  108. data/ext/libmongocrypt/libmongocrypt/src/mlib/thread.h +1 -1
  109. data/ext/libmongocrypt/libmongocrypt/src/mlib/user-check.h +1 -1
  110. data/ext/libmongocrypt/libmongocrypt/src/mongocrypt-cache-collinfo-private.h +1 -1
  111. data/ext/libmongocrypt/libmongocrypt/src/mongocrypt-cache-collinfo.c +4 -0
  112. data/ext/libmongocrypt/libmongocrypt/src/mongocrypt-ciphertext-private.h +1 -1
  113. data/ext/libmongocrypt/libmongocrypt/src/mongocrypt-crypto-private.h +4 -4
  114. data/ext/libmongocrypt/libmongocrypt/src/mongocrypt-crypto.c +29 -25
  115. data/ext/libmongocrypt/libmongocrypt/src/mongocrypt-ctx-datakey.c +3 -2
  116. data/ext/libmongocrypt/libmongocrypt/src/mongocrypt-ctx-decrypt.c +6 -3
  117. data/ext/libmongocrypt/libmongocrypt/src/mongocrypt-ctx-encrypt.c +48 -58
  118. data/ext/libmongocrypt/libmongocrypt/src/mongocrypt-ctx-rewrap-many-datakey.c +12 -0
  119. data/ext/libmongocrypt/libmongocrypt/src/mongocrypt-ctx.c +5 -13
  120. data/ext/libmongocrypt/libmongocrypt/src/mongocrypt-dll-private.h +19 -2
  121. data/ext/libmongocrypt/libmongocrypt/src/mongocrypt-key-broker.c +9 -9
  122. data/ext/libmongocrypt/libmongocrypt/src/mongocrypt-marking-private.h +3 -4
  123. data/ext/libmongocrypt/libmongocrypt/src/mongocrypt-marking.c +285 -89
  124. data/ext/libmongocrypt/libmongocrypt/src/mongocrypt-opts-private.h +0 -2
  125. data/ext/libmongocrypt/libmongocrypt/src/mongocrypt-opts.c +0 -1
  126. data/ext/libmongocrypt/libmongocrypt/src/mongocrypt-private.h +1 -1
  127. data/ext/libmongocrypt/libmongocrypt/src/mongocrypt-util.c +4 -1
  128. data/ext/libmongocrypt/libmongocrypt/src/mongocrypt.c +47 -31
  129. data/ext/libmongocrypt/libmongocrypt/src/os_posix/os_dll.c +2 -0
  130. data/ext/libmongocrypt/libmongocrypt/src/os_posix/os_mutex.c +1 -1
  131. data/ext/libmongocrypt/libmongocrypt/src/os_win/os_dll.c +3 -1
  132. data/ext/libmongocrypt/libmongocrypt/src/os_win/os_mutex.c +1 -1
  133. data/ext/libmongocrypt/libmongocrypt/src/unicode/case-fold-map.c +1 -1
  134. data/ext/libmongocrypt/libmongocrypt/src/unicode/diacritic-fold-map.c +1 -1
  135. data/ext/libmongocrypt/libmongocrypt/src/unicode/fold.c +1 -1
  136. data/ext/libmongocrypt/libmongocrypt/test/crypt_shared-stub.cpp +0 -14
  137. data/ext/libmongocrypt/libmongocrypt/test/data/compact/success/encrypted-field-config-map.json +6 -1
  138. data/ext/libmongocrypt/libmongocrypt/test/data/explicit-decrypt/FLE2InsertUpdatePayloadV2-RangeV2.json +8 -0
  139. data/ext/libmongocrypt/libmongocrypt/test/data/fle2-find-range/date-v2/encrypted-field-map.json +1 -1
  140. data/ext/libmongocrypt/libmongocrypt/test/data/fle2-find-range/date-v2/encrypted-payload.json +6 -4
  141. data/ext/libmongocrypt/libmongocrypt/test/data/fle2-find-range/date-v2/mongocryptd-reply.json +1 -1
  142. data/ext/libmongocrypt/libmongocrypt/test/data/fle2-find-range/decimal128-precision-v2/encrypted-field-map.json +1 -1
  143. data/ext/libmongocrypt/libmongocrypt/test/data/fle2-find-range/decimal128-precision-v2/encrypted-payload.json +6 -4
  144. data/ext/libmongocrypt/libmongocrypt/test/data/fle2-find-range/decimal128-precision-v2/mongocryptd-reply.json +2 -2
  145. data/ext/libmongocrypt/libmongocrypt/test/data/fle2-find-range/decimal128-v2/encrypted-field-map.json +1 -1
  146. data/ext/libmongocrypt/libmongocrypt/test/data/fle2-find-range/decimal128-v2/encrypted-payload.json +6 -4
  147. data/ext/libmongocrypt/libmongocrypt/test/data/fle2-find-range/decimal128-v2/mongocryptd-reply.json +1 -1
  148. data/ext/libmongocrypt/libmongocrypt/test/data/fle2-find-range/double-precision-v2/encrypted-payload.json +14 -6
  149. data/ext/libmongocrypt/libmongocrypt/test/data/fle2-find-range/double-v2/encrypted-field-map.json +1 -1
  150. data/ext/libmongocrypt/libmongocrypt/test/data/fle2-find-range/double-v2/encrypted-payload.json +6 -4
  151. data/ext/libmongocrypt/libmongocrypt/test/data/fle2-find-range/double-v2/mongocryptd-reply.json +1 -1
  152. data/ext/libmongocrypt/libmongocrypt/test/data/fle2-find-range/int32-v2/encrypted-field-map.json +1 -1
  153. data/ext/libmongocrypt/libmongocrypt/test/data/fle2-find-range/int32-v2/encrypted-payload.json +6 -4
  154. data/ext/libmongocrypt/libmongocrypt/test/data/fle2-find-range/int32-v2/mongocryptd-reply.json +1 -1
  155. data/ext/libmongocrypt/libmongocrypt/test/data/fle2-find-range/int64-v2/encrypted-field-map.json +1 -1
  156. data/ext/libmongocrypt/libmongocrypt/test/data/fle2-find-range/int64-v2/encrypted-payload.json +6 -4
  157. data/ext/libmongocrypt/libmongocrypt/test/data/fle2-find-range/int64-v2/mongocryptd-reply.json +1 -1
  158. data/ext/libmongocrypt/libmongocrypt/test/data/fle2-find-range-explicit/double/encrypted-payload-v2.json +1 -1
  159. data/ext/libmongocrypt/libmongocrypt/test/data/fle2-find-range-explicit/double-precision/encrypted-payload-v2.json +1 -1
  160. data/ext/libmongocrypt/libmongocrypt/test/data/fle2-find-range-explicit/int32/encrypted-payload-v2.json +1 -1
  161. data/ext/libmongocrypt/libmongocrypt/test/data/fle2-find-range-explicit/int32-openinterval/encrypted-payload-v2.json +1 -1
  162. data/ext/libmongocrypt/libmongocrypt/test/data/fle2-insert-range/date-v2/encrypted-field-map.json +1 -1
  163. data/ext/libmongocrypt/libmongocrypt/test/data/fle2-insert-range/date-v2/encrypted-payload.json +6 -4
  164. data/ext/libmongocrypt/libmongocrypt/test/data/fle2-insert-range/date-v2/mongocryptd-reply.json +1 -1
  165. data/ext/libmongocrypt/libmongocrypt/test/data/fle2-insert-range/decimal128-precision-v2/encrypted-field-map.json +1 -1
  166. data/ext/libmongocrypt/libmongocrypt/test/data/fle2-insert-range/decimal128-precision-v2/encrypted-payload.json +6 -4
  167. data/ext/libmongocrypt/libmongocrypt/test/data/fle2-insert-range/decimal128-precision-v2/mongocryptd-reply.json +1 -1
  168. data/ext/libmongocrypt/libmongocrypt/test/data/fle2-insert-range/decimal128-v2/encrypted-field-map.json +1 -1
  169. data/ext/libmongocrypt/libmongocrypt/test/data/fle2-insert-range/decimal128-v2/encrypted-payload.json +6 -4
  170. data/ext/libmongocrypt/libmongocrypt/test/data/fle2-insert-range/decimal128-v2/mongocryptd-reply.json +1 -1
  171. data/ext/libmongocrypt/libmongocrypt/test/data/fle2-insert-range/double-precision-v2/encrypted-payload.json +14 -6
  172. data/ext/libmongocrypt/libmongocrypt/test/data/fle2-insert-range/double-v2/encrypted-field-map.json +1 -1
  173. data/ext/libmongocrypt/libmongocrypt/test/data/fle2-insert-range/double-v2/encrypted-payload.json +6 -4
  174. data/ext/libmongocrypt/libmongocrypt/test/data/fle2-insert-range/double-v2/mongocryptd-reply.json +1 -1
  175. data/ext/libmongocrypt/libmongocrypt/test/data/fle2-insert-range/int32-v2/encrypted-field-map.json +1 -1
  176. data/ext/libmongocrypt/libmongocrypt/test/data/fle2-insert-range/int32-v2/encrypted-payload.json +3 -3
  177. data/ext/libmongocrypt/libmongocrypt/test/data/fle2-insert-range/int32-v2/mongocryptd-reply.json +1 -1
  178. data/ext/libmongocrypt/libmongocrypt/test/data/fle2-insert-range/int64-v2/encrypted-field-map.json +1 -1
  179. data/ext/libmongocrypt/libmongocrypt/test/data/fle2-insert-range/int64-v2/encrypted-payload.json +6 -4
  180. data/ext/libmongocrypt/libmongocrypt/test/data/fle2-insert-range/int64-v2/mongocryptd-reply.json +1 -1
  181. data/ext/libmongocrypt/libmongocrypt/test/data/fle2-insert-range-explicit/double/encrypted-payload-v2.json +1 -1
  182. data/ext/libmongocrypt/libmongocrypt/test/data/fle2-insert-range-explicit/double-precision/encrypted-payload-v2.json +1 -1
  183. data/ext/libmongocrypt/libmongocrypt/test/data/fle2-insert-range-explicit/int32/encrypted-payload-v2.json +1 -1
  184. data/ext/libmongocrypt/libmongocrypt/test/data/fle2-insert-range-explicit/sparsity-2/encrypted-payload-v2.json +1 -1
  185. data/ext/libmongocrypt/libmongocrypt/test/data/tokens/mc.json +8 -0
  186. data/ext/libmongocrypt/libmongocrypt/test/data/tokens/server.json +8 -0
  187. data/ext/libmongocrypt/libmongocrypt/test/example-state-machine.c +5 -5
  188. data/ext/libmongocrypt/libmongocrypt/test/test-dll.cpp +11 -5
  189. data/ext/libmongocrypt/libmongocrypt/test/test-gcp-auth.c +2 -2
  190. data/ext/libmongocrypt/libmongocrypt/test/test-mc-efc.c +9 -11
  191. data/ext/libmongocrypt/libmongocrypt/test/test-mc-fle2-encryption-placeholder.c +18 -29
  192. data/ext/libmongocrypt/libmongocrypt/test/test-mc-fle2-find-equality-payload-v2.c +1 -1
  193. data/ext/libmongocrypt/libmongocrypt/test/test-mc-fle2-find-range-payload-v2.c +2 -18
  194. data/ext/libmongocrypt/libmongocrypt/test/test-mc-fle2-find-text-payload.c +320 -0
  195. data/ext/libmongocrypt/libmongocrypt/test/test-mc-fle2-payload-iup-v2.c +2 -17
  196. data/ext/libmongocrypt/libmongocrypt/test/test-mc-fle2-payload-iup.c +1 -1
  197. data/ext/libmongocrypt/libmongocrypt/test/test-mc-fle2-rfds.c +8 -5
  198. data/ext/libmongocrypt/libmongocrypt/test/test-mc-range-edge-generation.c +6 -10
  199. data/ext/libmongocrypt/libmongocrypt/test/test-mc-range-encoding.c +29 -33
  200. data/ext/libmongocrypt/libmongocrypt/test/test-mc-range-mincover.c +12 -20
  201. data/ext/libmongocrypt/libmongocrypt/test/test-mc-rangeopts.c +5 -20
  202. data/ext/libmongocrypt/libmongocrypt/test/test-mc-reader.c +5 -5
  203. data/ext/libmongocrypt/libmongocrypt/test/test-mc-text-search-str-encode.c +147 -18
  204. data/ext/libmongocrypt/libmongocrypt/test/test-mc-tokens.c +35 -14
  205. data/ext/libmongocrypt/libmongocrypt/test/test-mc-writer.c +10 -10
  206. data/ext/libmongocrypt/libmongocrypt/test/test-mongocrypt-assert-match-bson.c +3 -7
  207. data/ext/libmongocrypt/libmongocrypt/test/test-mongocrypt-assert.h +36 -24
  208. data/ext/libmongocrypt/libmongocrypt/test/test-mongocrypt-buffer.c +4 -4
  209. data/ext/libmongocrypt/libmongocrypt/test/test-mongocrypt-cache.c +2 -2
  210. data/ext/libmongocrypt/libmongocrypt/test/test-mongocrypt-ciphertext.c +13 -13
  211. data/ext/libmongocrypt/libmongocrypt/test/test-mongocrypt-cleanup.c +49 -55
  212. data/ext/libmongocrypt/libmongocrypt/test/test-mongocrypt-compact.c +64 -67
  213. data/ext/libmongocrypt/libmongocrypt/test/test-mongocrypt-crypto-hooks.c +18 -18
  214. data/ext/libmongocrypt/libmongocrypt/test/test-mongocrypt-crypto-std-hooks.c +4 -0
  215. data/ext/libmongocrypt/libmongocrypt/test/test-mongocrypt-crypto.c +4 -3
  216. data/ext/libmongocrypt/libmongocrypt/test/test-mongocrypt-csfle-lib.c +13 -3
  217. data/ext/libmongocrypt/libmongocrypt/test/test-mongocrypt-ctx-decrypt.c +31 -13
  218. data/ext/libmongocrypt/libmongocrypt/test/test-mongocrypt-ctx-encrypt.c +35 -52
  219. data/ext/libmongocrypt/libmongocrypt/test/test-mongocrypt-ctx-rewrap-many-datakey.c +28 -1
  220. data/ext/libmongocrypt/libmongocrypt/test/test-mongocrypt-ctx-setopt.c +50 -91
  221. data/ext/libmongocrypt/libmongocrypt/test/test-mongocrypt-datakey.c +1 -1
  222. data/ext/libmongocrypt/libmongocrypt/test/test-mongocrypt-dll.c +7 -4
  223. data/ext/libmongocrypt/libmongocrypt/test/test-mongocrypt-endpoint.c +1 -1
  224. data/ext/libmongocrypt/libmongocrypt/test/test-mongocrypt-kek.c +1 -1
  225. data/ext/libmongocrypt/libmongocrypt/test/test-mongocrypt-key-cache.c +3 -5
  226. data/ext/libmongocrypt/libmongocrypt/test/test-mongocrypt-kms-ctx.c +2 -2
  227. data/ext/libmongocrypt/libmongocrypt/test/test-mongocrypt-local-kms.c +1 -1
  228. data/ext/libmongocrypt/libmongocrypt/test/test-mongocrypt-log.c +2 -2
  229. data/ext/libmongocrypt/libmongocrypt/test/test-mongocrypt-marking.c +527 -225
  230. data/ext/libmongocrypt/libmongocrypt/test/test-mongocrypt-status.c +1 -1
  231. data/ext/libmongocrypt/libmongocrypt/test/test-mongocrypt.c +45 -56
  232. data/ext/libmongocrypt/libmongocrypt/test/test-mongocrypt.h +12 -3
  233. data/ext/libmongocrypt/libmongocrypt/test/test-named-kms-providers.c +11 -11
  234. data/ext/libmongocrypt/libmongocrypt/test/test-unicode-fold.c +6 -2
  235. data/ext/libmongocrypt/libmongocrypt/test/util/HELP.autogen +1 -1
  236. data/ext/libmongocrypt/libmongocrypt/test/util/csfle.c +1 -1
  237. data/ext/libmongocrypt/libmongocrypt/test/util/util.c +5 -5
  238. data/ext/libmongocrypt/libmongocrypt/test/util/util.h +7 -6
  239. data/lib/libmongocrypt_helper/version.rb +2 -2
  240. metadata +17 -13
  241. data/ext/libmongocrypt/libmongocrypt/bindings/python/libmongocrypt-version.txt +0 -1
  242. data/ext/libmongocrypt/libmongocrypt/bindings/python/strip_header.py +0 -50
  243. data/ext/libmongocrypt/libmongocrypt/bindings/python/update-sbom.sh +0 -14
  244. data/ext/libmongocrypt/libmongocrypt/test/data/cleanup/success/encrypted-payload.json +0 -29
  245. data/ext/libmongocrypt/libmongocrypt/test/data/compact/success/encrypted-payload.json +0 -29
  246. data/ext/libmongocrypt/libmongocrypt/test/data/explicit-decrypt/FLE2EqualityIndexedValueV2.json +0 -8
  247. data/ext/libmongocrypt/libmongocrypt/test/data/explicit-decrypt/FLE2RangeIndexedValueV2.json +0 -8
  248. /data/ext/libmongocrypt/libmongocrypt/bindings/python/{build-manylinux-wheel.sh → scripts/build-manylinux-wheel.sh} +0 -0
  249. /data/ext/libmongocrypt/libmongocrypt/test/data/explicit-decrypt/{FLE2InsertUpdatePayload-with-edges.json → FLE2InsertUpdatePayload-RangeV1.json} +0 -0
  250. /data/ext/libmongocrypt/libmongocrypt/test/data/explicit-decrypt/{FLE2InsertUpdatePayload-with-edges-V2.json → FLE2InsertUpdatePayloadV2-RangeV1.json} +0 -0
@@ -33,47 +33,41 @@
33
33
  #include <openssl/hmac.h>
34
34
  #include <openssl/rand.h>
35
35
 
36
- #if OPENSSL_VERSION_NUMBER < 0x10100000L || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20700000L)
37
-
38
- static HMAC_CTX *HMAC_CTX_new(void) {
39
- return bson_malloc0(sizeof(HMAC_CTX));
40
- }
41
-
42
- static void HMAC_CTX_free(HMAC_CTX *ctx) {
43
- HMAC_CTX_cleanup(ctx);
44
- bson_free(ctx);
45
- }
36
+ #if OPENSSL_VERSION_NUMBER >= 0x30000000L
37
+ #include <openssl/core_names.h>
38
+ #include <openssl/params.h>
46
39
  #endif
47
40
 
48
41
  bool _native_crypto_initialized = false;
49
42
 
50
- void _native_crypto_init(void) {
51
- _native_crypto_initialized = true;
52
- }
53
-
54
- /* _encrypt_with_cipher encrypts @in with the OpenSSL cipher specified by
55
- * @cipher.
43
+ /* _encrypt_with_cipher encrypts @in with the specified OpenSSL cipher.
44
+ * @cipher is a usable EVP_CIPHER, or NULL if early initialization failed.
45
+ * @cipher_description is a human-readable description used when reporting deferred errors from initialization, required
46
+ * if @cipher might be NULL.
56
47
  * @key is the input key. @iv is the input IV.
57
48
  * @out is the output ciphertext. @out must be allocated by the caller with
58
49
  * enough room for the ciphertext.
59
50
  * @bytes_written is the number of bytes that were written to @out.
60
51
  * Returns false and sets @status on error. @status is required. */
61
- static bool _encrypt_with_cipher(const EVP_CIPHER *cipher, aes_256_args_t args) {
62
- EVP_CIPHER_CTX *ctx;
63
- bool ret = false;
64
- int intermediate_bytes_written = 0;
65
- mongocrypt_status_t *status = args.status;
66
-
67
- ctx = EVP_CIPHER_CTX_new();
68
-
52
+ static bool _encrypt_with_cipher(const EVP_CIPHER *cipher, const char *cipher_description, aes_256_args_t args) {
69
53
  BSON_ASSERT(args.key);
70
54
  BSON_ASSERT(args.in);
71
55
  BSON_ASSERT(args.out);
72
- BSON_ASSERT(ctx);
73
- BSON_ASSERT(cipher);
56
+ BSON_ASSERT(args.in->len <= INT_MAX);
57
+
58
+ mongocrypt_status_t *status = args.status;
59
+ if (!cipher) {
60
+ BSON_ASSERT(cipher_description);
61
+ CLIENT_ERR("failed to initialize cipher %s", cipher_description);
62
+ return false;
63
+ }
64
+
74
65
  BSON_ASSERT(NULL == args.iv || (uint32_t)EVP_CIPHER_iv_length(cipher) == args.iv->len);
75
66
  BSON_ASSERT((uint32_t)EVP_CIPHER_key_length(cipher) == args.key->len);
76
- BSON_ASSERT(args.in->len <= INT_MAX);
67
+
68
+ bool ret = false;
69
+ EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new();
70
+ BSON_ASSERT(ctx);
77
71
 
78
72
  if (!EVP_EncryptInit_ex(ctx, cipher, NULL /* engine */, args.key->data, NULL == args.iv ? NULL : args.iv->data)) {
79
73
  CLIENT_ERR("error in EVP_EncryptInit_ex: %s", ERR_error_string(ERR_get_error(), NULL));
@@ -84,6 +78,8 @@ static bool _encrypt_with_cipher(const EVP_CIPHER *cipher, aes_256_args_t args)
84
78
  EVP_CIPHER_CTX_set_padding(ctx, 0);
85
79
 
86
80
  *args.bytes_written = 0;
81
+
82
+ int intermediate_bytes_written = 0;
87
83
  if (!EVP_EncryptUpdate(ctx, args.out->data, &intermediate_bytes_written, args.in->data, (int)args.in->len)) {
88
84
  CLIENT_ERR("error in EVP_EncryptUpdate: %s", ERR_error_string(ERR_get_error(), NULL));
89
85
  goto done;
@@ -107,30 +103,35 @@ done:
107
103
  return ret;
108
104
  }
109
105
 
110
- /* _decrypt_with_cipher decrypts @in with the OpenSSL cipher specified by
111
- * @cipher.
106
+ /* _decrypt_with_cipher decrypts @in with the specified OpenSSL cipher.
107
+ * @cipher is a usable EVP_CIPHER, or NULL if early initialization failed.
108
+ * @cipher_description is a human-readable description used when reporting deferred errors from initialization, required
109
+ * if @cipher might be NULL.
112
110
  * @key is the input key. @iv is the input IV.
113
111
  * @out is the output plaintext. @out must be allocated by the caller with
114
112
  * enough room for the plaintext.
115
113
  * @bytes_written is the number of bytes that were written to @out.
116
114
  * Returns false and sets @status on error. @status is required. */
117
- static bool _decrypt_with_cipher(const EVP_CIPHER *cipher, aes_256_args_t args) {
118
- EVP_CIPHER_CTX *ctx;
119
- bool ret = false;
120
- int intermediate_bytes_written = 0;
121
- mongocrypt_status_t *status = args.status;
122
-
123
- ctx = EVP_CIPHER_CTX_new();
124
- BSON_ASSERT(ctx);
125
-
126
- BSON_ASSERT_PARAM(cipher);
115
+ static bool _decrypt_with_cipher(const EVP_CIPHER *cipher, const char *cipher_description, aes_256_args_t args) {
127
116
  BSON_ASSERT(args.iv);
128
117
  BSON_ASSERT(args.key);
129
118
  BSON_ASSERT(args.in);
130
119
  BSON_ASSERT(args.out);
120
+ BSON_ASSERT(args.in->len <= INT_MAX);
121
+
122
+ mongocrypt_status_t *status = args.status;
123
+ if (!cipher) {
124
+ BSON_ASSERT_PARAM(cipher_description);
125
+ CLIENT_ERR("failed to initialize cipher %s", cipher_description);
126
+ return false;
127
+ }
128
+
131
129
  BSON_ASSERT((uint32_t)EVP_CIPHER_iv_length(cipher) == args.iv->len);
132
130
  BSON_ASSERT((uint32_t)EVP_CIPHER_key_length(cipher) == args.key->len);
133
- BSON_ASSERT(args.in->len <= INT_MAX);
131
+
132
+ bool ret = false;
133
+ EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new();
134
+ BSON_ASSERT(ctx);
134
135
 
135
136
  if (!EVP_DecryptInit_ex(ctx, cipher, NULL /* engine */, args.key->data, args.iv->data)) {
136
137
  CLIENT_ERR("error in EVP_DecryptInit_ex: %s", ERR_error_string(ERR_get_error(), NULL));
@@ -142,6 +143,7 @@ static bool _decrypt_with_cipher(const EVP_CIPHER *cipher, aes_256_args_t args)
142
143
 
143
144
  *args.bytes_written = 0;
144
145
 
146
+ int intermediate_bytes_written = 0;
145
147
  if (!EVP_DecryptUpdate(ctx, args.out->data, &intermediate_bytes_written, args.in->data, (int)args.in->len)) {
146
148
  CLIENT_ERR("error in EVP_DecryptUpdate: %s", ERR_error_string(ERR_get_error(), NULL));
147
149
  goto done;
@@ -165,16 +167,186 @@ done:
165
167
  return ret;
166
168
  }
167
169
 
170
+ bool _native_crypto_random(_mongocrypt_buffer_t *out, uint32_t count, mongocrypt_status_t *status) {
171
+ BSON_ASSERT_PARAM(out);
172
+ BSON_ASSERT(count <= INT_MAX);
173
+
174
+ int ret = RAND_bytes(out->data, (int)count);
175
+ /* From man page: "RAND_bytes() and RAND_priv_bytes() return 1 on success, -1
176
+ * if not supported by the current RAND method, or 0 on other failure. The
177
+ * error code can be obtained by ERR_get_error(3)" */
178
+ if (ret == -1) {
179
+ CLIENT_ERR("secure random IV not supported: %s", ERR_error_string(ERR_get_error(), NULL));
180
+ return false;
181
+ } else if (ret == 0) {
182
+ CLIENT_ERR("failed to generate random IV: %s", ERR_error_string(ERR_get_error(), NULL));
183
+ return false;
184
+ }
185
+ return true;
186
+ }
187
+
188
+ #if OPENSSL_VERSION_NUMBER >= 0x30000000L
189
+ // Newest libcrypto support: requires EVP_MAC_CTX_dup and EVP_CIPHER_fetch added in OpenSSL 3.0.0
190
+
191
+ static struct {
192
+ EVP_MAC_CTX *hmac_sha2_256;
193
+ EVP_MAC_CTX *hmac_sha2_512;
194
+ EVP_CIPHER *aes_256_cbc;
195
+ EVP_CIPHER *aes_256_ctr;
196
+ EVP_CIPHER *aes_256_ecb; // For testing only
197
+ } _mongocrypt_libcrypto;
198
+
199
+ EVP_MAC_CTX *_build_hmac_ctx_prototype(const char *digest_name) {
200
+ EVP_MAC *hmac = EVP_MAC_fetch(NULL, OSSL_MAC_NAME_HMAC, NULL);
201
+ if (!hmac) {
202
+ return NULL;
203
+ }
204
+
205
+ EVP_MAC_CTX *ctx = EVP_MAC_CTX_new(hmac);
206
+ EVP_MAC_free(hmac);
207
+ if (!ctx) {
208
+ return NULL;
209
+ }
210
+
211
+ OSSL_PARAM params[] = {OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST, (char *)digest_name, 0),
212
+ OSSL_PARAM_construct_end()};
213
+
214
+ if (EVP_MAC_CTX_set_params(ctx, params)) {
215
+ return ctx;
216
+ } else {
217
+ EVP_MAC_CTX_free(ctx);
218
+ return NULL;
219
+ }
220
+ }
221
+
222
+ /* _hmac_with_ctx_prototype computes an HMAC of @in using an OpenSSL context duplicated from @ctx_prototype.
223
+ * @ctx_description is a human-readable description used when reporting deferred errors from initialization, required
224
+ * if @ctx_prototype might be NULL.
225
+ * @key is the input key.
226
+ * @out is the output. @out must be allocated by the caller with
227
+ * the exact length for the output. E.g. for HMAC 256, @out->len must be 32.
228
+ * Returns false and sets @status on error. @status is required. */
229
+ static bool _hmac_with_ctx_prototype(const EVP_MAC_CTX *ctx_prototype,
230
+ const char *ctx_description,
231
+ const _mongocrypt_buffer_t *key,
232
+ const _mongocrypt_buffer_t *in,
233
+ _mongocrypt_buffer_t *out,
234
+ mongocrypt_status_t *status) {
235
+ BSON_ASSERT_PARAM(key);
236
+ BSON_ASSERT_PARAM(in);
237
+ BSON_ASSERT_PARAM(out);
238
+ BSON_ASSERT(key->len <= INT_MAX);
239
+
240
+ if (!ctx_prototype) {
241
+ BSON_ASSERT_PARAM(ctx_description);
242
+ CLIENT_ERR("failed to initialize algorithm %s", ctx_description);
243
+ return false;
244
+ }
245
+
246
+ EVP_MAC_CTX *ctx = EVP_MAC_CTX_dup(ctx_prototype);
247
+ if (ctx) {
248
+ bool ok = EVP_MAC_init(ctx, key->data, key->len, NULL) && EVP_MAC_update(ctx, in->data, in->len)
249
+ && EVP_MAC_final(ctx, out->data, NULL, out->len);
250
+ EVP_MAC_CTX_free(ctx);
251
+ if (ok) {
252
+ return true;
253
+ }
254
+ }
255
+ CLIENT_ERR("HMAC error: %s", ERR_error_string(ERR_get_error(), NULL));
256
+ return false;
257
+ }
258
+
259
+ void _native_crypto_init(void) {
260
+ // Early lookup of digest and cipher algorithms avoids both the lookup overhead itself and the overhead of lock
261
+ // contention in the default OSSL_LIB_CTX.
262
+ //
263
+ // Failures now will store NULL, reporting a client error later.
264
+ //
265
+ // On HMAC fetching:
266
+ //
267
+ // Note that libcrypto sets an additional trap for us regarding MAC algorithms. An early fetch of the HMAC itself
268
+ // won't actually pre-fetch the subalgorithm. The name of the inner digest gets stored as a string, and re-fetched
269
+ // when setting up MAC context parameters. To fetch both the outer and inner algorithms ahead of time, we construct
270
+ // a prototype EVP_MAC_CTX that can be duplicated before each use.
271
+ //
272
+ // On thread safety:
273
+ //
274
+ // This creates objects that are intended to be immutable shared data after initialization. To understand whether
275
+ // this is safe we could consult the OpenSSL documentation but currently it's lacking in specifics about the
276
+ // individual API functions and types. It offers some general guidelines: "Objects are thread-safe as long as the
277
+ // API's being invoked don't modify the object; in this case the parameter is usually marked in the API as C<const>.
278
+ // Not all parameters are marked this way." By inspection, we can see that pre-fetched ciphers and MACs are designed
279
+ // with atomic reference counting support and appear to be intended for safe immutable use. Contexts are normally
280
+ // not safe to share, but these used only as a source for EVP_MAC_CTX_dup() can be treated as immutable.
281
+ //
282
+ // TODO: This could be refactored to live in mongocrypt_t rather than in global data. Currently there's no way to
283
+ // avoid leaking this set of one-time allocations.
284
+ //
285
+ // TODO: Higher performance yet could be achieved by re-using thread local EVP_MAC_CTX, but this requires careful
286
+ // lifecycle management to avoid leaking data. Alternatively, the libmongocrypt API could be modified to include
287
+ // some non-shared but long-lived context suitable for keeping these crypto objects. Alternatively still, it may be
288
+ // worth using a self contained SHA2 HMAC with favorable performance and portability characteristics.
289
+
290
+ _mongocrypt_libcrypto.aes_256_cbc = EVP_CIPHER_fetch(NULL, "AES-256-CBC", NULL);
291
+ _mongocrypt_libcrypto.aes_256_ctr = EVP_CIPHER_fetch(NULL, "AES-256-CTR", NULL);
292
+ _mongocrypt_libcrypto.aes_256_ecb = EVP_CIPHER_fetch(NULL, "AES-256-ECB", NULL);
293
+ _mongocrypt_libcrypto.hmac_sha2_256 = _build_hmac_ctx_prototype(OSSL_DIGEST_NAME_SHA2_256);
294
+ _mongocrypt_libcrypto.hmac_sha2_512 = _build_hmac_ctx_prototype(OSSL_DIGEST_NAME_SHA2_512);
295
+ _native_crypto_initialized = true;
296
+ }
297
+
168
298
  bool _native_crypto_aes_256_cbc_encrypt(aes_256_args_t args) {
169
- return _encrypt_with_cipher(EVP_aes_256_cbc(), args);
299
+ return _encrypt_with_cipher(_mongocrypt_libcrypto.aes_256_cbc, "AES-256-CBC", args);
170
300
  }
171
301
 
172
302
  bool _native_crypto_aes_256_cbc_decrypt(aes_256_args_t args) {
173
- return _decrypt_with_cipher(EVP_aes_256_cbc(), args);
303
+ return _decrypt_with_cipher(_mongocrypt_libcrypto.aes_256_cbc, "AES-256-CBC", args);
174
304
  }
175
305
 
306
+ bool _native_crypto_aes_256_ecb_encrypt(aes_256_args_t args); // -Wmissing-prototypes: for testing only.
307
+
176
308
  bool _native_crypto_aes_256_ecb_encrypt(aes_256_args_t args) {
177
- return _encrypt_with_cipher(EVP_aes_256_ecb(), args);
309
+ return _encrypt_with_cipher(_mongocrypt_libcrypto.aes_256_ecb, "AES-256-ECB", args);
310
+ }
311
+
312
+ bool _native_crypto_aes_256_ctr_encrypt(aes_256_args_t args) {
313
+ return _encrypt_with_cipher(_mongocrypt_libcrypto.aes_256_ctr, "AES-256-CTR", args);
314
+ }
315
+
316
+ bool _native_crypto_aes_256_ctr_decrypt(aes_256_args_t args) {
317
+ return _decrypt_with_cipher(_mongocrypt_libcrypto.aes_256_ctr, "AES-256-CTR", args);
318
+ }
319
+
320
+ bool _native_crypto_hmac_sha_256(const _mongocrypt_buffer_t *key,
321
+ const _mongocrypt_buffer_t *in,
322
+ _mongocrypt_buffer_t *out,
323
+ mongocrypt_status_t *status) {
324
+ return _hmac_with_ctx_prototype(_mongocrypt_libcrypto.hmac_sha2_256, "HMAC-SHA2-256", key, in, out, status);
325
+ }
326
+
327
+ bool _native_crypto_hmac_sha_512(const _mongocrypt_buffer_t *key,
328
+ const _mongocrypt_buffer_t *in,
329
+ _mongocrypt_buffer_t *out,
330
+ mongocrypt_status_t *status) {
331
+ return _hmac_with_ctx_prototype(_mongocrypt_libcrypto.hmac_sha2_512, "HMAC-SHA2-512", key, in, out, status);
332
+ }
333
+
334
+ #else /* OPENSSL_VERSION_NUMBER < 0x30000000L */
335
+ // Support for previous libcrypto versions, without early fetch optimization.
336
+
337
+ #if OPENSSL_VERSION_NUMBER < 0x10100000L || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20700000L)
338
+ static HMAC_CTX *HMAC_CTX_new(void) {
339
+ return bson_malloc0(sizeof(HMAC_CTX));
340
+ }
341
+
342
+ static void HMAC_CTX_free(HMAC_CTX *ctx) {
343
+ HMAC_CTX_cleanup(ctx);
344
+ bson_free(ctx);
345
+ }
346
+ #endif
347
+
348
+ void _native_crypto_init(void) {
349
+ _native_crypto_initialized = true;
178
350
  }
179
351
 
180
352
  /* _hmac_with_hash computes an HMAC of @in with the OpenSSL hash specified by
@@ -233,37 +405,26 @@ done:
233
405
  #endif
234
406
  }
235
407
 
236
- bool _native_crypto_hmac_sha_512(const _mongocrypt_buffer_t *key,
237
- const _mongocrypt_buffer_t *in,
238
- _mongocrypt_buffer_t *out,
239
- mongocrypt_status_t *status) {
240
- return _hmac_with_hash(EVP_sha512(), key, in, out, status);
408
+ bool _native_crypto_aes_256_cbc_encrypt(aes_256_args_t args) {
409
+ return _encrypt_with_cipher(EVP_aes_256_cbc(), NULL, args);
241
410
  }
242
411
 
243
- bool _native_crypto_random(_mongocrypt_buffer_t *out, uint32_t count, mongocrypt_status_t *status) {
244
- BSON_ASSERT_PARAM(out);
245
- BSON_ASSERT(count <= INT_MAX);
412
+ bool _native_crypto_aes_256_cbc_decrypt(aes_256_args_t args) {
413
+ return _decrypt_with_cipher(EVP_aes_256_cbc(), NULL, args);
414
+ }
246
415
 
247
- int ret = RAND_bytes(out->data, (int)count);
248
- /* From man page: "RAND_bytes() and RAND_priv_bytes() return 1 on success, -1
249
- * if not supported by the current RAND method, or 0 on other failure. The
250
- * error code can be obtained by ERR_get_error(3)" */
251
- if (ret == -1) {
252
- CLIENT_ERR("secure random IV not supported: %s", ERR_error_string(ERR_get_error(), NULL));
253
- return false;
254
- } else if (ret == 0) {
255
- CLIENT_ERR("failed to generate random IV: %s", ERR_error_string(ERR_get_error(), NULL));
256
- return false;
257
- }
258
- return true;
416
+ bool _native_crypto_aes_256_ecb_encrypt(aes_256_args_t args); // -Wmissing-prototypes: for testing only.
417
+
418
+ bool _native_crypto_aes_256_ecb_encrypt(aes_256_args_t args) {
419
+ return _encrypt_with_cipher(EVP_aes_256_ecb(), NULL, args);
259
420
  }
260
421
 
261
422
  bool _native_crypto_aes_256_ctr_encrypt(aes_256_args_t args) {
262
- return _encrypt_with_cipher(EVP_aes_256_ctr(), args);
423
+ return _encrypt_with_cipher(EVP_aes_256_ctr(), NULL, args);
263
424
  }
264
425
 
265
426
  bool _native_crypto_aes_256_ctr_decrypt(aes_256_args_t args) {
266
- return _decrypt_with_cipher(EVP_aes_256_ctr(), args);
427
+ return _decrypt_with_cipher(EVP_aes_256_ctr(), NULL, args);
267
428
  }
268
429
 
269
430
  bool _native_crypto_hmac_sha_256(const _mongocrypt_buffer_t *key,
@@ -273,4 +434,13 @@ bool _native_crypto_hmac_sha_256(const _mongocrypt_buffer_t *key,
273
434
  return _hmac_with_hash(EVP_sha256(), key, in, out, status);
274
435
  }
275
436
 
437
+ bool _native_crypto_hmac_sha_512(const _mongocrypt_buffer_t *key,
438
+ const _mongocrypt_buffer_t *in,
439
+ _mongocrypt_buffer_t *out,
440
+ mongocrypt_status_t *status) {
441
+ return _hmac_with_hash(EVP_sha512(), key, in, out, status);
442
+ }
443
+
444
+ #endif /* OPENSSL_VERSION_NUMBER */
445
+
276
446
  #endif /* MONGOCRYPT_ENABLE_CRYPTO_LIBCRYPTO */
@@ -72,4 +72,4 @@ bool _native_crypto_hmac_sha_256(const _mongocrypt_buffer_t *key,
72
72
  return false;
73
73
  }
74
74
 
75
- #endif /* MONGOCRYPT_ENABLE_CRYPTO */
75
+ #endif /* MONGOCRYPT_ENABLE_CRYPTO */
@@ -102,13 +102,15 @@ int do_main(int argc, const char *const *argv) {
102
102
 
103
103
  mcr_dll csfle = mcr_dll_open(argv[1]);
104
104
  auto close_csfle = DEFER({ mcr_dll_close(csfle); });
105
- if (csfle.error_string.data) {
106
- std::cerr << "Failed to open [" << argv[1] << "] as a dynamic library: " << csfle.error_string.data << '\n';
105
+ if (csfle.error_string.raw.data) {
106
+ std::cerr << "Failed to open [" << argv[1] << "] as a dynamic library: " << csfle.error_string.raw.data << '\n';
107
107
  return 3;
108
108
  }
109
109
 
110
110
  #define LOAD_SYM(Name) \
111
+ MC_BEGIN_CAST_FUNCTION_TYPE_STRICT_IGNORE \
111
112
  auto Name = reinterpret_cast<decltype(&(::Name))>(mcr_dll_sym(csfle, #Name)); \
113
+ MC_END_CAST_FUNCTION_TYPE_STRICT_IGNORE \
112
114
  if (!Name) { \
113
115
  fprintf(stderr, "Failed to load required symbol [%s] from the given csfle library", #Name); \
114
116
  return 4; \
@@ -11,11 +11,11 @@
11
11
  // the ImportDFP.cmake script:
12
12
  #ifndef MONGOCRYPT_INTELDFP
13
13
  // Notify includers that Decimal128 is not available:
14
- #define MONGOCRYPT_HAVE_DECIMAL128_SUPPORT 0
14
+ #define MONGOCRYPT_HAVE_DECIMAL128_SUPPORT() false
15
15
 
16
16
  #else // With IntelDFP:
17
17
  // Tell includers that Decimal128 is okay:
18
- #define MONGOCRYPT_HAVE_DECIMAL128_SUPPORT 1
18
+ #define MONGOCRYPT_HAVE_DECIMAL128_SUPPORT() true
19
19
 
20
20
  // Include the header that declares the DFP functions, which may be macros that
21
21
  // expand to renamed symbols:
@@ -2,7 +2,7 @@
2
2
 
3
3
  #include <cstdio>
4
4
 
5
- #if MONGOCRYPT_HAVE_DECIMAL128_SUPPORT
5
+ #if MONGOCRYPT_HAVE_DECIMAL128_SUPPORT()
6
6
 
7
7
  #include <stdlib.h>
8
8
 
@@ -76,4 +76,4 @@ int main() {
76
76
  std::puts("@@ctest-skip@@\n Decimal128 support is not enabled\n");
77
77
  }
78
78
 
79
- #endif
79
+ #endif
@@ -53,10 +53,7 @@ typedef struct {
53
53
  * into @efc. Fields are copied from @efc_bson. It is OK to free efc_bson after
54
54
  * this call. Fields are appended in reverse order to @efc->fields. Extra
55
55
  * unrecognized fields are not considered an error for forward compatibility. */
56
- bool mc_EncryptedFieldConfig_parse(mc_EncryptedFieldConfig_t *efc,
57
- const bson_t *efc_bson,
58
- mongocrypt_status_t *status,
59
- bool use_range_v2);
56
+ bool mc_EncryptedFieldConfig_parse(mc_EncryptedFieldConfig_t *efc, const bson_t *efc_bson, mongocrypt_status_t *status);
60
57
 
61
58
  void mc_EncryptedFieldConfig_cleanup(mc_EncryptedFieldConfig_t *efc);
62
59
 
@@ -51,7 +51,7 @@ _parse_supported_query_types(bson_iter_t *iter, supported_query_type_flags *out,
51
51
  BSON_ASSERT_PARAM(iter);
52
52
  BSON_ASSERT_PARAM(out);
53
53
  if (!BSON_ITER_HOLDS_DOCUMENT(iter)) {
54
- CLIENT_ERR("When parsing supported query types: Expected type document, got: %d", bson_iter_type(iter));
54
+ CLIENT_ERR("When parsing supported query types: Expected type document, got: %d", (int)bson_iter_type(iter));
55
55
  return false;
56
56
  }
57
57
 
@@ -66,7 +66,7 @@ _parse_supported_query_types(bson_iter_t *iter, supported_query_type_flags *out,
66
66
  }
67
67
  if (!BSON_ITER_HOLDS_UTF8(&query_type_iter)) {
68
68
  CLIENT_ERR("When parsing supported query types: Expected 'queryType' to be type UTF-8, got: %d",
69
- bson_iter_type(&query_type_iter));
69
+ (int)bson_iter_type(&query_type_iter));
70
70
  return false;
71
71
  }
72
72
  const char *queryType = bson_iter_utf8(&query_type_iter, NULL /* length */);
@@ -78,8 +78,7 @@ _parse_supported_query_types(bson_iter_t *iter, supported_query_type_flags *out,
78
78
  }
79
79
 
80
80
  /* _parse_field parses and prepends one field document to efc->fields. */
81
- static bool
82
- _parse_field(mc_EncryptedFieldConfig_t *efc, bson_t *field, mongocrypt_status_t *status, bool use_range_v2) {
81
+ static bool _parse_field(mc_EncryptedFieldConfig_t *efc, bson_t *field, mongocrypt_status_t *status) {
83
82
  supported_query_type_flags query_types = SUPPORTS_NO_QUERIES;
84
83
  bson_iter_t field_iter;
85
84
 
@@ -91,7 +90,7 @@ _parse_field(mc_EncryptedFieldConfig_t *efc, bson_t *field, mongocrypt_status_t
91
90
  return false;
92
91
  }
93
92
  if (!BSON_ITER_HOLDS_BINARY(&field_iter)) {
94
- CLIENT_ERR("expected 'fields.keyId' to be type binary, got: %d", bson_iter_type(&field_iter));
93
+ CLIENT_ERR("expected 'fields.keyId' to be type binary, got: %d", (int)bson_iter_type(&field_iter));
95
94
  return false;
96
95
  }
97
96
  _mongocrypt_buffer_t field_keyid;
@@ -106,7 +105,7 @@ _parse_field(mc_EncryptedFieldConfig_t *efc, bson_t *field, mongocrypt_status_t
106
105
  return false;
107
106
  }
108
107
  if (!BSON_ITER_HOLDS_UTF8(&field_iter)) {
109
- CLIENT_ERR("expected 'fields.path' to be type UTF-8, got: %d", bson_iter_type(&field_iter));
108
+ CLIENT_ERR("expected 'fields.path' to be type UTF-8, got: %d", (int)bson_iter_type(&field_iter));
110
109
  return false;
111
110
  }
112
111
  field_path = bson_iter_utf8(&field_iter, NULL /* length */);
@@ -141,8 +140,8 @@ _parse_field(mc_EncryptedFieldConfig_t *efc, bson_t *field, mongocrypt_status_t
141
140
  }
142
141
  }
143
142
 
144
- if (query_types & SUPPORTS_RANGE_PREVIEW_DEPRECATED_QUERIES && use_range_v2) {
145
- // When rangev2 is enabled ("range") error if "rangePreview" is included.
143
+ if (query_types & SUPPORTS_RANGE_PREVIEW_DEPRECATED_QUERIES) {
144
+ // Error if the removed "rangePreview" is included.
146
145
  // This check is intended to give an easier-to-understand earlier error.
147
146
  CLIENT_ERR("Cannot use field '%s' with 'rangePreview' queries. 'rangePreview' is unsupported. Use 'range' "
148
147
  "instead. 'range' is not compatible with 'rangePreview' and requires recreating the collection.",
@@ -163,8 +162,7 @@ _parse_field(mc_EncryptedFieldConfig_t *efc, bson_t *field, mongocrypt_status_t
163
162
 
164
163
  bool mc_EncryptedFieldConfig_parse(mc_EncryptedFieldConfig_t *efc,
165
164
  const bson_t *efc_bson,
166
- mongocrypt_status_t *status,
167
- bool use_range_v2) {
165
+ mongocrypt_status_t *status) {
168
166
  bson_iter_t iter;
169
167
 
170
168
  BSON_ASSERT_PARAM(efc);
@@ -189,7 +187,7 @@ bool mc_EncryptedFieldConfig_parse(mc_EncryptedFieldConfig_t *efc,
189
187
  if (!mc_iter_document_as_bson(&iter, &field, status)) {
190
188
  return false;
191
189
  }
192
- if (!_parse_field(efc, &field, status, use_range_v2)) {
190
+ if (!_parse_field(efc, &field, status)) {
193
191
  return false;
194
192
  }
195
193
  // The first element of efc->fields contains the newly parsed field.
@@ -46,6 +46,7 @@ typedef enum {
46
46
 
47
47
  /* Text Search Subtypes */
48
48
  MC_SUBTYPE_FLE2IndexedTextEncryptedValue = 17,
49
+ MC_SUBTYPE_FLE2FindTextPayload = 18,
49
50
  } mc_fle_blob_subtype_t;
50
51
 
51
52
  #endif /* MC_FLE_BLOB_SUBTYPE_PRIVATE_H */
@@ -86,10 +86,7 @@ typedef struct {
86
86
  BSON_STATIC_ASSERT2(alignof_mc_FLE2RangeFindSpec_t,
87
87
  BSON_ALIGNOF(mc_FLE2RangeFindSpec_t) >= BSON_ALIGNOF(mc_FLE2RangeFindSpecEdgesInfo_t));
88
88
 
89
- bool mc_FLE2RangeFindSpec_parse(mc_FLE2RangeFindSpec_t *out,
90
- const bson_iter_t *in,
91
- bool use_range_v2,
92
- mongocrypt_status_t *status);
89
+ bool mc_FLE2RangeFindSpec_parse(mc_FLE2RangeFindSpec_t *out, const bson_iter_t *in, mongocrypt_status_t *status);
93
90
 
94
91
  /** mc_FLE2RangeInsertSpec_t represents the range insert specification that is
95
92
  * encoded inside of a FLE2EncryptionPlaceholder. See
@@ -114,10 +111,7 @@ typedef struct {
114
111
  BSON_STATIC_ASSERT2(alignof_mc_FLE2RangeInsertSpec_t,
115
112
  BSON_ALIGNOF(mc_FLE2RangeInsertSpec_t) >= BSON_ALIGNOF(bson_iter_t));
116
113
 
117
- bool mc_FLE2RangeInsertSpec_parse(mc_FLE2RangeInsertSpec_t *out,
118
- const bson_iter_t *in,
119
- bool use_range_v2,
120
- mongocrypt_status_t *status);
114
+ bool mc_FLE2RangeInsertSpec_parse(mc_FLE2RangeInsertSpec_t *out, const bson_iter_t *in, mongocrypt_status_t *status);
121
115
 
122
116
  // Note: For the substring/suffix/prefix insert specs, all lengths are in terms of number of UTF-8 codepoints, not
123
117
  // number of bytes.
@@ -131,6 +125,10 @@ typedef struct {
131
125
  uint32_t ub;
132
126
  } mc_FLE2SubstringInsertSpec_t;
133
127
 
128
+ bool mc_FLE2SubstringInsertSpec_parse(mc_FLE2SubstringInsertSpec_t *out,
129
+ const bson_iter_t *in,
130
+ mongocrypt_status_t *status);
131
+
134
132
  /* mc_FLE2SuffixInsertSpec_t holds the parameters used to encode for suffix search. */
135
133
  typedef struct {
136
134
  // lb is the lower bound on the length of suffixes to be indexed.
@@ -139,6 +137,8 @@ typedef struct {
139
137
  uint32_t ub;
140
138
  } mc_FLE2SuffixInsertSpec_t;
141
139
 
140
+ bool mc_FLE2SuffixInsertSpec_parse(mc_FLE2SuffixInsertSpec_t *out, const bson_iter_t *in, mongocrypt_status_t *status);
141
+
142
142
  /* mc_FLE2PrefixInsertSpec_t holds the parameters used to encode for prefix search. */
143
143
  typedef struct {
144
144
  // lb is the lower bound on the length of prefixes to be indexed.
@@ -147,6 +147,8 @@ typedef struct {
147
147
  uint32_t ub;
148
148
  } mc_FLE2PrefixInsertSpec_t;
149
149
 
150
+ bool mc_FLE2PrefixInsertSpec_parse(mc_FLE2PrefixInsertSpec_t *out, const bson_iter_t *in, mongocrypt_status_t *status);
151
+
150
152
  /** mc_FLE2TextSearchInsertSpec_t represents the text search insert specification that is
151
153
  * encoded inside of a FLE2EncryptionPlaceholder. See
152
154
  * https://github.com/mongodb/mongo/blob/master/src/mongo/crypto/fle_field_schema.idl