libmongocrypt-helper 1.13.2.0.1001 → 1.14.0.0.1001
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/ext/libmongocrypt/libmongocrypt/CHANGELOG.md +8 -0
- data/ext/libmongocrypt/libmongocrypt/CMakeLists.txt +5 -1
- data/ext/libmongocrypt/libmongocrypt/CODEOWNERS +4 -1
- data/ext/libmongocrypt/libmongocrypt/Earthfile +18 -17
- data/ext/libmongocrypt/libmongocrypt/README.md +8 -8
- data/ext/libmongocrypt/libmongocrypt/bindings/python/CHANGELOG.rst +7 -0
- data/ext/libmongocrypt/libmongocrypt/bindings/python/CONTRIBUTING.md +34 -0
- data/ext/libmongocrypt/libmongocrypt/bindings/python/pymongocrypt/asynchronous/state_machine.py +6 -2
- data/ext/libmongocrypt/libmongocrypt/bindings/python/pymongocrypt/binding.py +18 -2
- data/ext/libmongocrypt/libmongocrypt/bindings/python/pymongocrypt/mongocrypt.py +9 -1
- data/ext/libmongocrypt/libmongocrypt/bindings/python/pymongocrypt/options.py +14 -0
- data/ext/libmongocrypt/libmongocrypt/bindings/python/pymongocrypt/synchronous/state_machine.py +6 -2
- data/ext/libmongocrypt/libmongocrypt/bindings/python/pymongocrypt/version.py +1 -1
- data/ext/libmongocrypt/libmongocrypt/bindings/python/sbom.json +8 -8
- data/ext/libmongocrypt/libmongocrypt/bindings/python/scripts/libmongocrypt-version.txt +1 -0
- data/ext/libmongocrypt/libmongocrypt/bindings/python/{release.sh → scripts/release.sh} +9 -3
- data/ext/libmongocrypt/libmongocrypt/bindings/python/{synchro.py → scripts/synchro.py} +16 -9
- data/ext/libmongocrypt/libmongocrypt/bindings/python/scripts/synchro.sh +8 -0
- data/ext/libmongocrypt/libmongocrypt/bindings/python/scripts/update-version.sh +27 -0
- data/ext/libmongocrypt/libmongocrypt/bindings/python/scripts/update_binding.py +78 -0
- data/ext/libmongocrypt/libmongocrypt/bindings/python/test/test_mongocrypt.py +15 -0
- data/ext/libmongocrypt/libmongocrypt/doc/releasing.md +25 -18
- data/ext/libmongocrypt/libmongocrypt/etc/calc_release_version.py +39 -13
- data/ext/libmongocrypt/libmongocrypt/etc/calc_release_version_selftest.sh +1 -1
- data/ext/libmongocrypt/libmongocrypt/etc/cyclonedx.sbom.json +2 -2
- data/ext/libmongocrypt/libmongocrypt/kms-message/CMakeLists.txt +1 -1
- data/ext/libmongocrypt/libmongocrypt/kms-message/src/hexlify.c +5 -0
- data/ext/libmongocrypt/libmongocrypt/kms-message/src/hexlify.h +1 -1
- data/ext/libmongocrypt/libmongocrypt/kms-message/src/kms_azure_request.c +1 -1
- data/ext/libmongocrypt/libmongocrypt/kms-message/src/kms_gcp_request.c +1 -1
- data/ext/libmongocrypt/libmongocrypt/kms-message/src/kms_kmip_reader_writer.c +4 -2
- data/ext/libmongocrypt/libmongocrypt/kms-message/src/kms_kmip_request.c +1 -2
- data/ext/libmongocrypt/libmongocrypt/kms-message/src/kms_message_private.h +5 -1
- data/ext/libmongocrypt/libmongocrypt/kms-message/src/kms_request.c +1 -1
- data/ext/libmongocrypt/libmongocrypt/kms-message/src/kms_request_opt.c +1 -1
- data/ext/libmongocrypt/libmongocrypt/kms-message/src/kms_request_str.c +2 -8
- data/ext/libmongocrypt/libmongocrypt/kms-message/src/kms_request_str.h +9 -0
- data/ext/libmongocrypt/libmongocrypt/kms-message/src/kms_response_parser.c +0 -1
- data/ext/libmongocrypt/libmongocrypt/kms-message/src/sort.c +7 -3
- data/ext/libmongocrypt/libmongocrypt/kms-message/src/sort.h +2 -0
- data/ext/libmongocrypt/libmongocrypt/kms-message/test/test_kmip_reader_writer.c +8 -1
- data/ext/libmongocrypt/libmongocrypt/kms-message/test/test_kms_assert.h +5 -4
- data/ext/libmongocrypt/libmongocrypt/kms-message/test/test_kms_azure_online.c +1 -1
- data/ext/libmongocrypt/libmongocrypt/kms-message/test/test_kms_gcp_online.c +1 -1
- data/ext/libmongocrypt/libmongocrypt/kms-message/test/test_kms_kmip_request.c +4 -0
- data/ext/libmongocrypt/libmongocrypt/kms-message/test/test_kms_kmip_response.c +3 -0
- data/ext/libmongocrypt/libmongocrypt/kms-message/test/test_kms_kmip_response_parser.c +4 -0
- data/ext/libmongocrypt/libmongocrypt/kms-message/test/test_kms_online_util.c +1 -1
- data/ext/libmongocrypt/libmongocrypt/kms-message/test/test_kms_online_util.h +1 -1
- data/ext/libmongocrypt/libmongocrypt/kms-message/test/test_kms_request.c +39 -39
- data/ext/libmongocrypt/libmongocrypt/src/crypto/libcrypto.c +235 -65
- data/ext/libmongocrypt/libmongocrypt/src/crypto/none.c +1 -1
- data/ext/libmongocrypt/libmongocrypt/src/csfle-markup.cpp +4 -2
- data/ext/libmongocrypt/libmongocrypt/src/mc-dec128.h +2 -2
- data/ext/libmongocrypt/libmongocrypt/src/mc-dec128.test.cpp +2 -2
- data/ext/libmongocrypt/libmongocrypt/src/mc-efc-private.h +1 -4
- data/ext/libmongocrypt/libmongocrypt/src/mc-efc.c +9 -11
- data/ext/libmongocrypt/libmongocrypt/src/mc-fle-blob-subtype-private.h +1 -0
- data/ext/libmongocrypt/libmongocrypt/src/mc-fle2-encryption-placeholder-private.h +10 -8
- data/ext/libmongocrypt/libmongocrypt/src/mc-fle2-encryption-placeholder.c +167 -176
- data/ext/libmongocrypt/libmongocrypt/src/mc-fle2-find-equality-payload-v2.c +6 -17
- data/ext/libmongocrypt/libmongocrypt/src/mc-fle2-find-equality-payload.c +6 -17
- data/ext/libmongocrypt/libmongocrypt/src/mc-fle2-find-range-payload-private-v2.h +1 -1
- data/ext/libmongocrypt/libmongocrypt/src/mc-fle2-find-range-payload-v2.c +25 -26
- data/ext/libmongocrypt/libmongocrypt/src/mc-fle2-find-range-payload.c +2 -1
- data/ext/libmongocrypt/libmongocrypt/src/mc-fle2-find-text-payload-private.h +122 -0
- data/ext/libmongocrypt/libmongocrypt/src/mc-fle2-find-text-payload.c +477 -0
- data/ext/libmongocrypt/libmongocrypt/src/mc-fle2-insert-update-payload-private-v2.h +1 -3
- data/ext/libmongocrypt/libmongocrypt/src/mc-fle2-insert-update-payload-v2.c +28 -43
- data/ext/libmongocrypt/libmongocrypt/src/mc-fle2-insert-update-payload.c +6 -17
- data/ext/libmongocrypt/libmongocrypt/src/mc-fle2-payload-iev-v2.c +6 -5
- data/ext/libmongocrypt/libmongocrypt/src/mc-fle2-payload-iev.c +13 -10
- data/ext/libmongocrypt/libmongocrypt/src/mc-fle2-payload-uev-common.c +3 -2
- data/ext/libmongocrypt/libmongocrypt/src/mc-fle2-rfds.c +7 -6
- data/ext/libmongocrypt/libmongocrypt/src/mc-fle2-tag-and-encrypted-metadata-block.c +4 -3
- data/ext/libmongocrypt/libmongocrypt/src/mc-optional-private.h +1 -1
- data/ext/libmongocrypt/libmongocrypt/src/mc-parse-utils-private.h +27 -0
- data/ext/libmongocrypt/libmongocrypt/src/mc-parse-utils.c +48 -0
- data/ext/libmongocrypt/libmongocrypt/src/mc-range-edge-generation-private.h +5 -5
- data/ext/libmongocrypt/libmongocrypt/src/mc-range-edge-generation.c +15 -20
- data/ext/libmongocrypt/libmongocrypt/src/mc-range-encoding-private.h +4 -6
- data/ext/libmongocrypt/libmongocrypt/src/mc-range-encoding.c +9 -18
- data/ext/libmongocrypt/libmongocrypt/src/mc-range-mincover-generator.template.h +4 -5
- data/ext/libmongocrypt/libmongocrypt/src/mc-range-mincover-private.h +5 -9
- data/ext/libmongocrypt/libmongocrypt/src/mc-range-mincover.c +14 -19
- data/ext/libmongocrypt/libmongocrypt/src/mc-rangeopts-private.h +2 -4
- data/ext/libmongocrypt/libmongocrypt/src/mc-rangeopts.c +109 -119
- data/ext/libmongocrypt/libmongocrypt/src/mc-reader-private.h +2 -2
- data/ext/libmongocrypt/libmongocrypt/src/mc-reader.c +4 -2
- data/ext/libmongocrypt/libmongocrypt/src/mc-schema-broker-private.h +0 -3
- data/ext/libmongocrypt/libmongocrypt/src/mc-schema-broker.c +4 -14
- data/ext/libmongocrypt/libmongocrypt/src/mc-str-encode-string-sets-private.h +1 -1
- data/ext/libmongocrypt/libmongocrypt/src/mc-str-encode-string-sets.c +3 -3
- data/ext/libmongocrypt/libmongocrypt/src/mc-text-search-str-encode-private.h +8 -1
- data/ext/libmongocrypt/libmongocrypt/src/mc-text-search-str-encode.c +78 -2
- data/ext/libmongocrypt/libmongocrypt/src/mc-tokens-private.h +34 -16
- data/ext/libmongocrypt/libmongocrypt/src/mc-tokens.c +66 -74
- data/ext/libmongocrypt/libmongocrypt/src/mc-writer-private.h +1 -1
- data/ext/libmongocrypt/libmongocrypt/src/mc-writer.c +4 -2
- data/ext/libmongocrypt/libmongocrypt/src/mlib/error.h +1 -1
- data/ext/libmongocrypt/libmongocrypt/src/mlib/int128.h +12 -1
- data/ext/libmongocrypt/libmongocrypt/src/mlib/int128.test.cpp +5 -0
- data/ext/libmongocrypt/libmongocrypt/src/mlib/path.h +5 -5
- data/ext/libmongocrypt/libmongocrypt/src/mlib/path.test.c +2 -5
- data/ext/libmongocrypt/libmongocrypt/src/mlib/str.h +65 -58
- data/ext/libmongocrypt/libmongocrypt/src/mlib/str.test.c +3 -3
- data/ext/libmongocrypt/libmongocrypt/src/mlib/thread.h +1 -1
- data/ext/libmongocrypt/libmongocrypt/src/mlib/user-check.h +1 -1
- data/ext/libmongocrypt/libmongocrypt/src/mongocrypt-cache-collinfo-private.h +1 -1
- data/ext/libmongocrypt/libmongocrypt/src/mongocrypt-cache-collinfo.c +4 -0
- data/ext/libmongocrypt/libmongocrypt/src/mongocrypt-ciphertext-private.h +1 -1
- data/ext/libmongocrypt/libmongocrypt/src/mongocrypt-crypto-private.h +4 -4
- data/ext/libmongocrypt/libmongocrypt/src/mongocrypt-crypto.c +29 -25
- data/ext/libmongocrypt/libmongocrypt/src/mongocrypt-ctx-datakey.c +3 -2
- data/ext/libmongocrypt/libmongocrypt/src/mongocrypt-ctx-decrypt.c +6 -3
- data/ext/libmongocrypt/libmongocrypt/src/mongocrypt-ctx-encrypt.c +48 -58
- data/ext/libmongocrypt/libmongocrypt/src/mongocrypt-ctx-rewrap-many-datakey.c +12 -0
- data/ext/libmongocrypt/libmongocrypt/src/mongocrypt-ctx.c +5 -13
- data/ext/libmongocrypt/libmongocrypt/src/mongocrypt-dll-private.h +19 -2
- data/ext/libmongocrypt/libmongocrypt/src/mongocrypt-key-broker.c +9 -9
- data/ext/libmongocrypt/libmongocrypt/src/mongocrypt-marking-private.h +3 -4
- data/ext/libmongocrypt/libmongocrypt/src/mongocrypt-marking.c +285 -89
- data/ext/libmongocrypt/libmongocrypt/src/mongocrypt-opts-private.h +0 -2
- data/ext/libmongocrypt/libmongocrypt/src/mongocrypt-opts.c +0 -1
- data/ext/libmongocrypt/libmongocrypt/src/mongocrypt-private.h +1 -1
- data/ext/libmongocrypt/libmongocrypt/src/mongocrypt-util.c +4 -1
- data/ext/libmongocrypt/libmongocrypt/src/mongocrypt.c +47 -31
- data/ext/libmongocrypt/libmongocrypt/src/os_posix/os_dll.c +2 -0
- data/ext/libmongocrypt/libmongocrypt/src/os_posix/os_mutex.c +1 -1
- data/ext/libmongocrypt/libmongocrypt/src/os_win/os_dll.c +3 -1
- data/ext/libmongocrypt/libmongocrypt/src/os_win/os_mutex.c +1 -1
- data/ext/libmongocrypt/libmongocrypt/src/unicode/case-fold-map.c +1 -1
- data/ext/libmongocrypt/libmongocrypt/src/unicode/diacritic-fold-map.c +1 -1
- data/ext/libmongocrypt/libmongocrypt/src/unicode/fold.c +1 -1
- data/ext/libmongocrypt/libmongocrypt/test/crypt_shared-stub.cpp +0 -14
- data/ext/libmongocrypt/libmongocrypt/test/data/compact/success/encrypted-field-config-map.json +6 -1
- data/ext/libmongocrypt/libmongocrypt/test/data/explicit-decrypt/FLE2InsertUpdatePayloadV2-RangeV2.json +8 -0
- data/ext/libmongocrypt/libmongocrypt/test/data/fle2-find-range/date-v2/encrypted-field-map.json +1 -1
- data/ext/libmongocrypt/libmongocrypt/test/data/fle2-find-range/date-v2/encrypted-payload.json +6 -4
- data/ext/libmongocrypt/libmongocrypt/test/data/fle2-find-range/date-v2/mongocryptd-reply.json +1 -1
- data/ext/libmongocrypt/libmongocrypt/test/data/fle2-find-range/decimal128-precision-v2/encrypted-field-map.json +1 -1
- data/ext/libmongocrypt/libmongocrypt/test/data/fle2-find-range/decimal128-precision-v2/encrypted-payload.json +6 -4
- data/ext/libmongocrypt/libmongocrypt/test/data/fle2-find-range/decimal128-precision-v2/mongocryptd-reply.json +2 -2
- data/ext/libmongocrypt/libmongocrypt/test/data/fle2-find-range/decimal128-v2/encrypted-field-map.json +1 -1
- data/ext/libmongocrypt/libmongocrypt/test/data/fle2-find-range/decimal128-v2/encrypted-payload.json +6 -4
- data/ext/libmongocrypt/libmongocrypt/test/data/fle2-find-range/decimal128-v2/mongocryptd-reply.json +1 -1
- data/ext/libmongocrypt/libmongocrypt/test/data/fle2-find-range/double-precision-v2/encrypted-payload.json +14 -6
- data/ext/libmongocrypt/libmongocrypt/test/data/fle2-find-range/double-v2/encrypted-field-map.json +1 -1
- data/ext/libmongocrypt/libmongocrypt/test/data/fle2-find-range/double-v2/encrypted-payload.json +6 -4
- data/ext/libmongocrypt/libmongocrypt/test/data/fle2-find-range/double-v2/mongocryptd-reply.json +1 -1
- data/ext/libmongocrypt/libmongocrypt/test/data/fle2-find-range/int32-v2/encrypted-field-map.json +1 -1
- data/ext/libmongocrypt/libmongocrypt/test/data/fle2-find-range/int32-v2/encrypted-payload.json +6 -4
- data/ext/libmongocrypt/libmongocrypt/test/data/fle2-find-range/int32-v2/mongocryptd-reply.json +1 -1
- data/ext/libmongocrypt/libmongocrypt/test/data/fle2-find-range/int64-v2/encrypted-field-map.json +1 -1
- data/ext/libmongocrypt/libmongocrypt/test/data/fle2-find-range/int64-v2/encrypted-payload.json +6 -4
- data/ext/libmongocrypt/libmongocrypt/test/data/fle2-find-range/int64-v2/mongocryptd-reply.json +1 -1
- data/ext/libmongocrypt/libmongocrypt/test/data/fle2-find-range-explicit/double/encrypted-payload-v2.json +1 -1
- data/ext/libmongocrypt/libmongocrypt/test/data/fle2-find-range-explicit/double-precision/encrypted-payload-v2.json +1 -1
- data/ext/libmongocrypt/libmongocrypt/test/data/fle2-find-range-explicit/int32/encrypted-payload-v2.json +1 -1
- data/ext/libmongocrypt/libmongocrypt/test/data/fle2-find-range-explicit/int32-openinterval/encrypted-payload-v2.json +1 -1
- data/ext/libmongocrypt/libmongocrypt/test/data/fle2-insert-range/date-v2/encrypted-field-map.json +1 -1
- data/ext/libmongocrypt/libmongocrypt/test/data/fle2-insert-range/date-v2/encrypted-payload.json +6 -4
- data/ext/libmongocrypt/libmongocrypt/test/data/fle2-insert-range/date-v2/mongocryptd-reply.json +1 -1
- data/ext/libmongocrypt/libmongocrypt/test/data/fle2-insert-range/decimal128-precision-v2/encrypted-field-map.json +1 -1
- data/ext/libmongocrypt/libmongocrypt/test/data/fle2-insert-range/decimal128-precision-v2/encrypted-payload.json +6 -4
- data/ext/libmongocrypt/libmongocrypt/test/data/fle2-insert-range/decimal128-precision-v2/mongocryptd-reply.json +1 -1
- data/ext/libmongocrypt/libmongocrypt/test/data/fle2-insert-range/decimal128-v2/encrypted-field-map.json +1 -1
- data/ext/libmongocrypt/libmongocrypt/test/data/fle2-insert-range/decimal128-v2/encrypted-payload.json +6 -4
- data/ext/libmongocrypt/libmongocrypt/test/data/fle2-insert-range/decimal128-v2/mongocryptd-reply.json +1 -1
- data/ext/libmongocrypt/libmongocrypt/test/data/fle2-insert-range/double-precision-v2/encrypted-payload.json +14 -6
- data/ext/libmongocrypt/libmongocrypt/test/data/fle2-insert-range/double-v2/encrypted-field-map.json +1 -1
- data/ext/libmongocrypt/libmongocrypt/test/data/fle2-insert-range/double-v2/encrypted-payload.json +6 -4
- data/ext/libmongocrypt/libmongocrypt/test/data/fle2-insert-range/double-v2/mongocryptd-reply.json +1 -1
- data/ext/libmongocrypt/libmongocrypt/test/data/fle2-insert-range/int32-v2/encrypted-field-map.json +1 -1
- data/ext/libmongocrypt/libmongocrypt/test/data/fle2-insert-range/int32-v2/encrypted-payload.json +3 -3
- data/ext/libmongocrypt/libmongocrypt/test/data/fle2-insert-range/int32-v2/mongocryptd-reply.json +1 -1
- data/ext/libmongocrypt/libmongocrypt/test/data/fle2-insert-range/int64-v2/encrypted-field-map.json +1 -1
- data/ext/libmongocrypt/libmongocrypt/test/data/fle2-insert-range/int64-v2/encrypted-payload.json +6 -4
- data/ext/libmongocrypt/libmongocrypt/test/data/fle2-insert-range/int64-v2/mongocryptd-reply.json +1 -1
- data/ext/libmongocrypt/libmongocrypt/test/data/fle2-insert-range-explicit/double/encrypted-payload-v2.json +1 -1
- data/ext/libmongocrypt/libmongocrypt/test/data/fle2-insert-range-explicit/double-precision/encrypted-payload-v2.json +1 -1
- data/ext/libmongocrypt/libmongocrypt/test/data/fle2-insert-range-explicit/int32/encrypted-payload-v2.json +1 -1
- data/ext/libmongocrypt/libmongocrypt/test/data/fle2-insert-range-explicit/sparsity-2/encrypted-payload-v2.json +1 -1
- data/ext/libmongocrypt/libmongocrypt/test/data/tokens/mc.json +8 -0
- data/ext/libmongocrypt/libmongocrypt/test/data/tokens/server.json +8 -0
- data/ext/libmongocrypt/libmongocrypt/test/example-state-machine.c +5 -5
- data/ext/libmongocrypt/libmongocrypt/test/test-dll.cpp +11 -5
- data/ext/libmongocrypt/libmongocrypt/test/test-gcp-auth.c +2 -2
- data/ext/libmongocrypt/libmongocrypt/test/test-mc-efc.c +9 -11
- data/ext/libmongocrypt/libmongocrypt/test/test-mc-fle2-encryption-placeholder.c +18 -29
- data/ext/libmongocrypt/libmongocrypt/test/test-mc-fle2-find-equality-payload-v2.c +1 -1
- data/ext/libmongocrypt/libmongocrypt/test/test-mc-fle2-find-range-payload-v2.c +2 -18
- data/ext/libmongocrypt/libmongocrypt/test/test-mc-fle2-find-text-payload.c +320 -0
- data/ext/libmongocrypt/libmongocrypt/test/test-mc-fle2-payload-iup-v2.c +2 -17
- data/ext/libmongocrypt/libmongocrypt/test/test-mc-fle2-payload-iup.c +1 -1
- data/ext/libmongocrypt/libmongocrypt/test/test-mc-fle2-rfds.c +8 -5
- data/ext/libmongocrypt/libmongocrypt/test/test-mc-range-edge-generation.c +6 -10
- data/ext/libmongocrypt/libmongocrypt/test/test-mc-range-encoding.c +29 -33
- data/ext/libmongocrypt/libmongocrypt/test/test-mc-range-mincover.c +12 -20
- data/ext/libmongocrypt/libmongocrypt/test/test-mc-rangeopts.c +5 -20
- data/ext/libmongocrypt/libmongocrypt/test/test-mc-reader.c +5 -5
- data/ext/libmongocrypt/libmongocrypt/test/test-mc-text-search-str-encode.c +147 -18
- data/ext/libmongocrypt/libmongocrypt/test/test-mc-tokens.c +35 -14
- data/ext/libmongocrypt/libmongocrypt/test/test-mc-writer.c +10 -10
- data/ext/libmongocrypt/libmongocrypt/test/test-mongocrypt-assert-match-bson.c +3 -7
- data/ext/libmongocrypt/libmongocrypt/test/test-mongocrypt-assert.h +36 -24
- data/ext/libmongocrypt/libmongocrypt/test/test-mongocrypt-buffer.c +4 -4
- data/ext/libmongocrypt/libmongocrypt/test/test-mongocrypt-cache.c +2 -2
- data/ext/libmongocrypt/libmongocrypt/test/test-mongocrypt-ciphertext.c +13 -13
- data/ext/libmongocrypt/libmongocrypt/test/test-mongocrypt-cleanup.c +49 -55
- data/ext/libmongocrypt/libmongocrypt/test/test-mongocrypt-compact.c +64 -67
- data/ext/libmongocrypt/libmongocrypt/test/test-mongocrypt-crypto-hooks.c +18 -18
- data/ext/libmongocrypt/libmongocrypt/test/test-mongocrypt-crypto-std-hooks.c +4 -0
- data/ext/libmongocrypt/libmongocrypt/test/test-mongocrypt-crypto.c +4 -3
- data/ext/libmongocrypt/libmongocrypt/test/test-mongocrypt-csfle-lib.c +13 -3
- data/ext/libmongocrypt/libmongocrypt/test/test-mongocrypt-ctx-decrypt.c +31 -13
- data/ext/libmongocrypt/libmongocrypt/test/test-mongocrypt-ctx-encrypt.c +35 -52
- data/ext/libmongocrypt/libmongocrypt/test/test-mongocrypt-ctx-rewrap-many-datakey.c +28 -1
- data/ext/libmongocrypt/libmongocrypt/test/test-mongocrypt-ctx-setopt.c +50 -91
- data/ext/libmongocrypt/libmongocrypt/test/test-mongocrypt-datakey.c +1 -1
- data/ext/libmongocrypt/libmongocrypt/test/test-mongocrypt-dll.c +7 -4
- data/ext/libmongocrypt/libmongocrypt/test/test-mongocrypt-endpoint.c +1 -1
- data/ext/libmongocrypt/libmongocrypt/test/test-mongocrypt-kek.c +1 -1
- data/ext/libmongocrypt/libmongocrypt/test/test-mongocrypt-key-cache.c +3 -5
- data/ext/libmongocrypt/libmongocrypt/test/test-mongocrypt-kms-ctx.c +2 -2
- data/ext/libmongocrypt/libmongocrypt/test/test-mongocrypt-local-kms.c +1 -1
- data/ext/libmongocrypt/libmongocrypt/test/test-mongocrypt-log.c +2 -2
- data/ext/libmongocrypt/libmongocrypt/test/test-mongocrypt-marking.c +527 -225
- data/ext/libmongocrypt/libmongocrypt/test/test-mongocrypt-status.c +1 -1
- data/ext/libmongocrypt/libmongocrypt/test/test-mongocrypt.c +45 -56
- data/ext/libmongocrypt/libmongocrypt/test/test-mongocrypt.h +12 -3
- data/ext/libmongocrypt/libmongocrypt/test/test-named-kms-providers.c +11 -11
- data/ext/libmongocrypt/libmongocrypt/test/test-unicode-fold.c +6 -2
- data/ext/libmongocrypt/libmongocrypt/test/util/HELP.autogen +1 -1
- data/ext/libmongocrypt/libmongocrypt/test/util/csfle.c +1 -1
- data/ext/libmongocrypt/libmongocrypt/test/util/util.c +5 -5
- data/ext/libmongocrypt/libmongocrypt/test/util/util.h +7 -6
- data/lib/libmongocrypt_helper/version.rb +2 -2
- metadata +17 -13
- data/ext/libmongocrypt/libmongocrypt/bindings/python/libmongocrypt-version.txt +0 -1
- data/ext/libmongocrypt/libmongocrypt/bindings/python/strip_header.py +0 -50
- data/ext/libmongocrypt/libmongocrypt/bindings/python/update-sbom.sh +0 -14
- data/ext/libmongocrypt/libmongocrypt/test/data/cleanup/success/encrypted-payload.json +0 -29
- data/ext/libmongocrypt/libmongocrypt/test/data/compact/success/encrypted-payload.json +0 -29
- data/ext/libmongocrypt/libmongocrypt/test/data/explicit-decrypt/FLE2EqualityIndexedValueV2.json +0 -8
- data/ext/libmongocrypt/libmongocrypt/test/data/explicit-decrypt/FLE2RangeIndexedValueV2.json +0 -8
- /data/ext/libmongocrypt/libmongocrypt/bindings/python/{build-manylinux-wheel.sh → scripts/build-manylinux-wheel.sh} +0 -0
- /data/ext/libmongocrypt/libmongocrypt/test/data/explicit-decrypt/{FLE2InsertUpdatePayload-with-edges.json → FLE2InsertUpdatePayload-RangeV1.json} +0 -0
- /data/ext/libmongocrypt/libmongocrypt/test/data/explicit-decrypt/{FLE2InsertUpdatePayload-with-edges-V2.json → FLE2InsertUpdatePayloadV2-RangeV1.json} +0 -0
@@ -33,47 +33,41 @@
|
|
33
33
|
#include <openssl/hmac.h>
|
34
34
|
#include <openssl/rand.h>
|
35
35
|
|
36
|
-
#if OPENSSL_VERSION_NUMBER
|
37
|
-
|
38
|
-
|
39
|
-
return bson_malloc0(sizeof(HMAC_CTX));
|
40
|
-
}
|
41
|
-
|
42
|
-
static void HMAC_CTX_free(HMAC_CTX *ctx) {
|
43
|
-
HMAC_CTX_cleanup(ctx);
|
44
|
-
bson_free(ctx);
|
45
|
-
}
|
36
|
+
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
|
37
|
+
#include <openssl/core_names.h>
|
38
|
+
#include <openssl/params.h>
|
46
39
|
#endif
|
47
40
|
|
48
41
|
bool _native_crypto_initialized = false;
|
49
42
|
|
50
|
-
|
51
|
-
|
52
|
-
|
53
|
-
|
54
|
-
/* _encrypt_with_cipher encrypts @in with the OpenSSL cipher specified by
|
55
|
-
* @cipher.
|
43
|
+
/* _encrypt_with_cipher encrypts @in with the specified OpenSSL cipher.
|
44
|
+
* @cipher is a usable EVP_CIPHER, or NULL if early initialization failed.
|
45
|
+
* @cipher_description is a human-readable description used when reporting deferred errors from initialization, required
|
46
|
+
* if @cipher might be NULL.
|
56
47
|
* @key is the input key. @iv is the input IV.
|
57
48
|
* @out is the output ciphertext. @out must be allocated by the caller with
|
58
49
|
* enough room for the ciphertext.
|
59
50
|
* @bytes_written is the number of bytes that were written to @out.
|
60
51
|
* Returns false and sets @status on error. @status is required. */
|
61
|
-
static bool _encrypt_with_cipher(const EVP_CIPHER *cipher, aes_256_args_t args) {
|
62
|
-
EVP_CIPHER_CTX *ctx;
|
63
|
-
bool ret = false;
|
64
|
-
int intermediate_bytes_written = 0;
|
65
|
-
mongocrypt_status_t *status = args.status;
|
66
|
-
|
67
|
-
ctx = EVP_CIPHER_CTX_new();
|
68
|
-
|
52
|
+
static bool _encrypt_with_cipher(const EVP_CIPHER *cipher, const char *cipher_description, aes_256_args_t args) {
|
69
53
|
BSON_ASSERT(args.key);
|
70
54
|
BSON_ASSERT(args.in);
|
71
55
|
BSON_ASSERT(args.out);
|
72
|
-
BSON_ASSERT(
|
73
|
-
|
56
|
+
BSON_ASSERT(args.in->len <= INT_MAX);
|
57
|
+
|
58
|
+
mongocrypt_status_t *status = args.status;
|
59
|
+
if (!cipher) {
|
60
|
+
BSON_ASSERT(cipher_description);
|
61
|
+
CLIENT_ERR("failed to initialize cipher %s", cipher_description);
|
62
|
+
return false;
|
63
|
+
}
|
64
|
+
|
74
65
|
BSON_ASSERT(NULL == args.iv || (uint32_t)EVP_CIPHER_iv_length(cipher) == args.iv->len);
|
75
66
|
BSON_ASSERT((uint32_t)EVP_CIPHER_key_length(cipher) == args.key->len);
|
76
|
-
|
67
|
+
|
68
|
+
bool ret = false;
|
69
|
+
EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new();
|
70
|
+
BSON_ASSERT(ctx);
|
77
71
|
|
78
72
|
if (!EVP_EncryptInit_ex(ctx, cipher, NULL /* engine */, args.key->data, NULL == args.iv ? NULL : args.iv->data)) {
|
79
73
|
CLIENT_ERR("error in EVP_EncryptInit_ex: %s", ERR_error_string(ERR_get_error(), NULL));
|
@@ -84,6 +78,8 @@ static bool _encrypt_with_cipher(const EVP_CIPHER *cipher, aes_256_args_t args)
|
|
84
78
|
EVP_CIPHER_CTX_set_padding(ctx, 0);
|
85
79
|
|
86
80
|
*args.bytes_written = 0;
|
81
|
+
|
82
|
+
int intermediate_bytes_written = 0;
|
87
83
|
if (!EVP_EncryptUpdate(ctx, args.out->data, &intermediate_bytes_written, args.in->data, (int)args.in->len)) {
|
88
84
|
CLIENT_ERR("error in EVP_EncryptUpdate: %s", ERR_error_string(ERR_get_error(), NULL));
|
89
85
|
goto done;
|
@@ -107,30 +103,35 @@ done:
|
|
107
103
|
return ret;
|
108
104
|
}
|
109
105
|
|
110
|
-
/* _decrypt_with_cipher decrypts @in with the OpenSSL cipher
|
111
|
-
* @cipher.
|
106
|
+
/* _decrypt_with_cipher decrypts @in with the specified OpenSSL cipher.
|
107
|
+
* @cipher is a usable EVP_CIPHER, or NULL if early initialization failed.
|
108
|
+
* @cipher_description is a human-readable description used when reporting deferred errors from initialization, required
|
109
|
+
* if @cipher might be NULL.
|
112
110
|
* @key is the input key. @iv is the input IV.
|
113
111
|
* @out is the output plaintext. @out must be allocated by the caller with
|
114
112
|
* enough room for the plaintext.
|
115
113
|
* @bytes_written is the number of bytes that were written to @out.
|
116
114
|
* Returns false and sets @status on error. @status is required. */
|
117
|
-
static bool _decrypt_with_cipher(const EVP_CIPHER *cipher, aes_256_args_t args) {
|
118
|
-
EVP_CIPHER_CTX *ctx;
|
119
|
-
bool ret = false;
|
120
|
-
int intermediate_bytes_written = 0;
|
121
|
-
mongocrypt_status_t *status = args.status;
|
122
|
-
|
123
|
-
ctx = EVP_CIPHER_CTX_new();
|
124
|
-
BSON_ASSERT(ctx);
|
125
|
-
|
126
|
-
BSON_ASSERT_PARAM(cipher);
|
115
|
+
static bool _decrypt_with_cipher(const EVP_CIPHER *cipher, const char *cipher_description, aes_256_args_t args) {
|
127
116
|
BSON_ASSERT(args.iv);
|
128
117
|
BSON_ASSERT(args.key);
|
129
118
|
BSON_ASSERT(args.in);
|
130
119
|
BSON_ASSERT(args.out);
|
120
|
+
BSON_ASSERT(args.in->len <= INT_MAX);
|
121
|
+
|
122
|
+
mongocrypt_status_t *status = args.status;
|
123
|
+
if (!cipher) {
|
124
|
+
BSON_ASSERT_PARAM(cipher_description);
|
125
|
+
CLIENT_ERR("failed to initialize cipher %s", cipher_description);
|
126
|
+
return false;
|
127
|
+
}
|
128
|
+
|
131
129
|
BSON_ASSERT((uint32_t)EVP_CIPHER_iv_length(cipher) == args.iv->len);
|
132
130
|
BSON_ASSERT((uint32_t)EVP_CIPHER_key_length(cipher) == args.key->len);
|
133
|
-
|
131
|
+
|
132
|
+
bool ret = false;
|
133
|
+
EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new();
|
134
|
+
BSON_ASSERT(ctx);
|
134
135
|
|
135
136
|
if (!EVP_DecryptInit_ex(ctx, cipher, NULL /* engine */, args.key->data, args.iv->data)) {
|
136
137
|
CLIENT_ERR("error in EVP_DecryptInit_ex: %s", ERR_error_string(ERR_get_error(), NULL));
|
@@ -142,6 +143,7 @@ static bool _decrypt_with_cipher(const EVP_CIPHER *cipher, aes_256_args_t args)
|
|
142
143
|
|
143
144
|
*args.bytes_written = 0;
|
144
145
|
|
146
|
+
int intermediate_bytes_written = 0;
|
145
147
|
if (!EVP_DecryptUpdate(ctx, args.out->data, &intermediate_bytes_written, args.in->data, (int)args.in->len)) {
|
146
148
|
CLIENT_ERR("error in EVP_DecryptUpdate: %s", ERR_error_string(ERR_get_error(), NULL));
|
147
149
|
goto done;
|
@@ -165,16 +167,186 @@ done:
|
|
165
167
|
return ret;
|
166
168
|
}
|
167
169
|
|
170
|
+
bool _native_crypto_random(_mongocrypt_buffer_t *out, uint32_t count, mongocrypt_status_t *status) {
|
171
|
+
BSON_ASSERT_PARAM(out);
|
172
|
+
BSON_ASSERT(count <= INT_MAX);
|
173
|
+
|
174
|
+
int ret = RAND_bytes(out->data, (int)count);
|
175
|
+
/* From man page: "RAND_bytes() and RAND_priv_bytes() return 1 on success, -1
|
176
|
+
* if not supported by the current RAND method, or 0 on other failure. The
|
177
|
+
* error code can be obtained by ERR_get_error(3)" */
|
178
|
+
if (ret == -1) {
|
179
|
+
CLIENT_ERR("secure random IV not supported: %s", ERR_error_string(ERR_get_error(), NULL));
|
180
|
+
return false;
|
181
|
+
} else if (ret == 0) {
|
182
|
+
CLIENT_ERR("failed to generate random IV: %s", ERR_error_string(ERR_get_error(), NULL));
|
183
|
+
return false;
|
184
|
+
}
|
185
|
+
return true;
|
186
|
+
}
|
187
|
+
|
188
|
+
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
|
189
|
+
// Newest libcrypto support: requires EVP_MAC_CTX_dup and EVP_CIPHER_fetch added in OpenSSL 3.0.0
|
190
|
+
|
191
|
+
static struct {
|
192
|
+
EVP_MAC_CTX *hmac_sha2_256;
|
193
|
+
EVP_MAC_CTX *hmac_sha2_512;
|
194
|
+
EVP_CIPHER *aes_256_cbc;
|
195
|
+
EVP_CIPHER *aes_256_ctr;
|
196
|
+
EVP_CIPHER *aes_256_ecb; // For testing only
|
197
|
+
} _mongocrypt_libcrypto;
|
198
|
+
|
199
|
+
EVP_MAC_CTX *_build_hmac_ctx_prototype(const char *digest_name) {
|
200
|
+
EVP_MAC *hmac = EVP_MAC_fetch(NULL, OSSL_MAC_NAME_HMAC, NULL);
|
201
|
+
if (!hmac) {
|
202
|
+
return NULL;
|
203
|
+
}
|
204
|
+
|
205
|
+
EVP_MAC_CTX *ctx = EVP_MAC_CTX_new(hmac);
|
206
|
+
EVP_MAC_free(hmac);
|
207
|
+
if (!ctx) {
|
208
|
+
return NULL;
|
209
|
+
}
|
210
|
+
|
211
|
+
OSSL_PARAM params[] = {OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST, (char *)digest_name, 0),
|
212
|
+
OSSL_PARAM_construct_end()};
|
213
|
+
|
214
|
+
if (EVP_MAC_CTX_set_params(ctx, params)) {
|
215
|
+
return ctx;
|
216
|
+
} else {
|
217
|
+
EVP_MAC_CTX_free(ctx);
|
218
|
+
return NULL;
|
219
|
+
}
|
220
|
+
}
|
221
|
+
|
222
|
+
/* _hmac_with_ctx_prototype computes an HMAC of @in using an OpenSSL context duplicated from @ctx_prototype.
|
223
|
+
* @ctx_description is a human-readable description used when reporting deferred errors from initialization, required
|
224
|
+
* if @ctx_prototype might be NULL.
|
225
|
+
* @key is the input key.
|
226
|
+
* @out is the output. @out must be allocated by the caller with
|
227
|
+
* the exact length for the output. E.g. for HMAC 256, @out->len must be 32.
|
228
|
+
* Returns false and sets @status on error. @status is required. */
|
229
|
+
static bool _hmac_with_ctx_prototype(const EVP_MAC_CTX *ctx_prototype,
|
230
|
+
const char *ctx_description,
|
231
|
+
const _mongocrypt_buffer_t *key,
|
232
|
+
const _mongocrypt_buffer_t *in,
|
233
|
+
_mongocrypt_buffer_t *out,
|
234
|
+
mongocrypt_status_t *status) {
|
235
|
+
BSON_ASSERT_PARAM(key);
|
236
|
+
BSON_ASSERT_PARAM(in);
|
237
|
+
BSON_ASSERT_PARAM(out);
|
238
|
+
BSON_ASSERT(key->len <= INT_MAX);
|
239
|
+
|
240
|
+
if (!ctx_prototype) {
|
241
|
+
BSON_ASSERT_PARAM(ctx_description);
|
242
|
+
CLIENT_ERR("failed to initialize algorithm %s", ctx_description);
|
243
|
+
return false;
|
244
|
+
}
|
245
|
+
|
246
|
+
EVP_MAC_CTX *ctx = EVP_MAC_CTX_dup(ctx_prototype);
|
247
|
+
if (ctx) {
|
248
|
+
bool ok = EVP_MAC_init(ctx, key->data, key->len, NULL) && EVP_MAC_update(ctx, in->data, in->len)
|
249
|
+
&& EVP_MAC_final(ctx, out->data, NULL, out->len);
|
250
|
+
EVP_MAC_CTX_free(ctx);
|
251
|
+
if (ok) {
|
252
|
+
return true;
|
253
|
+
}
|
254
|
+
}
|
255
|
+
CLIENT_ERR("HMAC error: %s", ERR_error_string(ERR_get_error(), NULL));
|
256
|
+
return false;
|
257
|
+
}
|
258
|
+
|
259
|
+
void _native_crypto_init(void) {
|
260
|
+
// Early lookup of digest and cipher algorithms avoids both the lookup overhead itself and the overhead of lock
|
261
|
+
// contention in the default OSSL_LIB_CTX.
|
262
|
+
//
|
263
|
+
// Failures now will store NULL, reporting a client error later.
|
264
|
+
//
|
265
|
+
// On HMAC fetching:
|
266
|
+
//
|
267
|
+
// Note that libcrypto sets an additional trap for us regarding MAC algorithms. An early fetch of the HMAC itself
|
268
|
+
// won't actually pre-fetch the subalgorithm. The name of the inner digest gets stored as a string, and re-fetched
|
269
|
+
// when setting up MAC context parameters. To fetch both the outer and inner algorithms ahead of time, we construct
|
270
|
+
// a prototype EVP_MAC_CTX that can be duplicated before each use.
|
271
|
+
//
|
272
|
+
// On thread safety:
|
273
|
+
//
|
274
|
+
// This creates objects that are intended to be immutable shared data after initialization. To understand whether
|
275
|
+
// this is safe we could consult the OpenSSL documentation but currently it's lacking in specifics about the
|
276
|
+
// individual API functions and types. It offers some general guidelines: "Objects are thread-safe as long as the
|
277
|
+
// API's being invoked don't modify the object; in this case the parameter is usually marked in the API as C<const>.
|
278
|
+
// Not all parameters are marked this way." By inspection, we can see that pre-fetched ciphers and MACs are designed
|
279
|
+
// with atomic reference counting support and appear to be intended for safe immutable use. Contexts are normally
|
280
|
+
// not safe to share, but these used only as a source for EVP_MAC_CTX_dup() can be treated as immutable.
|
281
|
+
//
|
282
|
+
// TODO: This could be refactored to live in mongocrypt_t rather than in global data. Currently there's no way to
|
283
|
+
// avoid leaking this set of one-time allocations.
|
284
|
+
//
|
285
|
+
// TODO: Higher performance yet could be achieved by re-using thread local EVP_MAC_CTX, but this requires careful
|
286
|
+
// lifecycle management to avoid leaking data. Alternatively, the libmongocrypt API could be modified to include
|
287
|
+
// some non-shared but long-lived context suitable for keeping these crypto objects. Alternatively still, it may be
|
288
|
+
// worth using a self contained SHA2 HMAC with favorable performance and portability characteristics.
|
289
|
+
|
290
|
+
_mongocrypt_libcrypto.aes_256_cbc = EVP_CIPHER_fetch(NULL, "AES-256-CBC", NULL);
|
291
|
+
_mongocrypt_libcrypto.aes_256_ctr = EVP_CIPHER_fetch(NULL, "AES-256-CTR", NULL);
|
292
|
+
_mongocrypt_libcrypto.aes_256_ecb = EVP_CIPHER_fetch(NULL, "AES-256-ECB", NULL);
|
293
|
+
_mongocrypt_libcrypto.hmac_sha2_256 = _build_hmac_ctx_prototype(OSSL_DIGEST_NAME_SHA2_256);
|
294
|
+
_mongocrypt_libcrypto.hmac_sha2_512 = _build_hmac_ctx_prototype(OSSL_DIGEST_NAME_SHA2_512);
|
295
|
+
_native_crypto_initialized = true;
|
296
|
+
}
|
297
|
+
|
168
298
|
bool _native_crypto_aes_256_cbc_encrypt(aes_256_args_t args) {
|
169
|
-
return _encrypt_with_cipher(
|
299
|
+
return _encrypt_with_cipher(_mongocrypt_libcrypto.aes_256_cbc, "AES-256-CBC", args);
|
170
300
|
}
|
171
301
|
|
172
302
|
bool _native_crypto_aes_256_cbc_decrypt(aes_256_args_t args) {
|
173
|
-
return _decrypt_with_cipher(
|
303
|
+
return _decrypt_with_cipher(_mongocrypt_libcrypto.aes_256_cbc, "AES-256-CBC", args);
|
174
304
|
}
|
175
305
|
|
306
|
+
bool _native_crypto_aes_256_ecb_encrypt(aes_256_args_t args); // -Wmissing-prototypes: for testing only.
|
307
|
+
|
176
308
|
bool _native_crypto_aes_256_ecb_encrypt(aes_256_args_t args) {
|
177
|
-
return _encrypt_with_cipher(
|
309
|
+
return _encrypt_with_cipher(_mongocrypt_libcrypto.aes_256_ecb, "AES-256-ECB", args);
|
310
|
+
}
|
311
|
+
|
312
|
+
bool _native_crypto_aes_256_ctr_encrypt(aes_256_args_t args) {
|
313
|
+
return _encrypt_with_cipher(_mongocrypt_libcrypto.aes_256_ctr, "AES-256-CTR", args);
|
314
|
+
}
|
315
|
+
|
316
|
+
bool _native_crypto_aes_256_ctr_decrypt(aes_256_args_t args) {
|
317
|
+
return _decrypt_with_cipher(_mongocrypt_libcrypto.aes_256_ctr, "AES-256-CTR", args);
|
318
|
+
}
|
319
|
+
|
320
|
+
bool _native_crypto_hmac_sha_256(const _mongocrypt_buffer_t *key,
|
321
|
+
const _mongocrypt_buffer_t *in,
|
322
|
+
_mongocrypt_buffer_t *out,
|
323
|
+
mongocrypt_status_t *status) {
|
324
|
+
return _hmac_with_ctx_prototype(_mongocrypt_libcrypto.hmac_sha2_256, "HMAC-SHA2-256", key, in, out, status);
|
325
|
+
}
|
326
|
+
|
327
|
+
bool _native_crypto_hmac_sha_512(const _mongocrypt_buffer_t *key,
|
328
|
+
const _mongocrypt_buffer_t *in,
|
329
|
+
_mongocrypt_buffer_t *out,
|
330
|
+
mongocrypt_status_t *status) {
|
331
|
+
return _hmac_with_ctx_prototype(_mongocrypt_libcrypto.hmac_sha2_512, "HMAC-SHA2-512", key, in, out, status);
|
332
|
+
}
|
333
|
+
|
334
|
+
#else /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
335
|
+
// Support for previous libcrypto versions, without early fetch optimization.
|
336
|
+
|
337
|
+
#if OPENSSL_VERSION_NUMBER < 0x10100000L || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20700000L)
|
338
|
+
static HMAC_CTX *HMAC_CTX_new(void) {
|
339
|
+
return bson_malloc0(sizeof(HMAC_CTX));
|
340
|
+
}
|
341
|
+
|
342
|
+
static void HMAC_CTX_free(HMAC_CTX *ctx) {
|
343
|
+
HMAC_CTX_cleanup(ctx);
|
344
|
+
bson_free(ctx);
|
345
|
+
}
|
346
|
+
#endif
|
347
|
+
|
348
|
+
void _native_crypto_init(void) {
|
349
|
+
_native_crypto_initialized = true;
|
178
350
|
}
|
179
351
|
|
180
352
|
/* _hmac_with_hash computes an HMAC of @in with the OpenSSL hash specified by
|
@@ -233,37 +405,26 @@ done:
|
|
233
405
|
#endif
|
234
406
|
}
|
235
407
|
|
236
|
-
bool
|
237
|
-
|
238
|
-
_mongocrypt_buffer_t *out,
|
239
|
-
mongocrypt_status_t *status) {
|
240
|
-
return _hmac_with_hash(EVP_sha512(), key, in, out, status);
|
408
|
+
bool _native_crypto_aes_256_cbc_encrypt(aes_256_args_t args) {
|
409
|
+
return _encrypt_with_cipher(EVP_aes_256_cbc(), NULL, args);
|
241
410
|
}
|
242
411
|
|
243
|
-
bool
|
244
|
-
|
245
|
-
|
412
|
+
bool _native_crypto_aes_256_cbc_decrypt(aes_256_args_t args) {
|
413
|
+
return _decrypt_with_cipher(EVP_aes_256_cbc(), NULL, args);
|
414
|
+
}
|
246
415
|
|
247
|
-
|
248
|
-
|
249
|
-
|
250
|
-
|
251
|
-
if (ret == -1) {
|
252
|
-
CLIENT_ERR("secure random IV not supported: %s", ERR_error_string(ERR_get_error(), NULL));
|
253
|
-
return false;
|
254
|
-
} else if (ret == 0) {
|
255
|
-
CLIENT_ERR("failed to generate random IV: %s", ERR_error_string(ERR_get_error(), NULL));
|
256
|
-
return false;
|
257
|
-
}
|
258
|
-
return true;
|
416
|
+
bool _native_crypto_aes_256_ecb_encrypt(aes_256_args_t args); // -Wmissing-prototypes: for testing only.
|
417
|
+
|
418
|
+
bool _native_crypto_aes_256_ecb_encrypt(aes_256_args_t args) {
|
419
|
+
return _encrypt_with_cipher(EVP_aes_256_ecb(), NULL, args);
|
259
420
|
}
|
260
421
|
|
261
422
|
bool _native_crypto_aes_256_ctr_encrypt(aes_256_args_t args) {
|
262
|
-
return _encrypt_with_cipher(EVP_aes_256_ctr(), args);
|
423
|
+
return _encrypt_with_cipher(EVP_aes_256_ctr(), NULL, args);
|
263
424
|
}
|
264
425
|
|
265
426
|
bool _native_crypto_aes_256_ctr_decrypt(aes_256_args_t args) {
|
266
|
-
return _decrypt_with_cipher(EVP_aes_256_ctr(), args);
|
427
|
+
return _decrypt_with_cipher(EVP_aes_256_ctr(), NULL, args);
|
267
428
|
}
|
268
429
|
|
269
430
|
bool _native_crypto_hmac_sha_256(const _mongocrypt_buffer_t *key,
|
@@ -273,4 +434,13 @@ bool _native_crypto_hmac_sha_256(const _mongocrypt_buffer_t *key,
|
|
273
434
|
return _hmac_with_hash(EVP_sha256(), key, in, out, status);
|
274
435
|
}
|
275
436
|
|
437
|
+
bool _native_crypto_hmac_sha_512(const _mongocrypt_buffer_t *key,
|
438
|
+
const _mongocrypt_buffer_t *in,
|
439
|
+
_mongocrypt_buffer_t *out,
|
440
|
+
mongocrypt_status_t *status) {
|
441
|
+
return _hmac_with_hash(EVP_sha512(), key, in, out, status);
|
442
|
+
}
|
443
|
+
|
444
|
+
#endif /* OPENSSL_VERSION_NUMBER */
|
445
|
+
|
276
446
|
#endif /* MONGOCRYPT_ENABLE_CRYPTO_LIBCRYPTO */
|
@@ -102,13 +102,15 @@ int do_main(int argc, const char *const *argv) {
|
|
102
102
|
|
103
103
|
mcr_dll csfle = mcr_dll_open(argv[1]);
|
104
104
|
auto close_csfle = DEFER({ mcr_dll_close(csfle); });
|
105
|
-
if (csfle.error_string.data) {
|
106
|
-
std::cerr << "Failed to open [" << argv[1] << "] as a dynamic library: " << csfle.error_string.data << '\n';
|
105
|
+
if (csfle.error_string.raw.data) {
|
106
|
+
std::cerr << "Failed to open [" << argv[1] << "] as a dynamic library: " << csfle.error_string.raw.data << '\n';
|
107
107
|
return 3;
|
108
108
|
}
|
109
109
|
|
110
110
|
#define LOAD_SYM(Name) \
|
111
|
+
MC_BEGIN_CAST_FUNCTION_TYPE_STRICT_IGNORE \
|
111
112
|
auto Name = reinterpret_cast<decltype(&(::Name))>(mcr_dll_sym(csfle, #Name)); \
|
113
|
+
MC_END_CAST_FUNCTION_TYPE_STRICT_IGNORE \
|
112
114
|
if (!Name) { \
|
113
115
|
fprintf(stderr, "Failed to load required symbol [%s] from the given csfle library", #Name); \
|
114
116
|
return 4; \
|
@@ -11,11 +11,11 @@
|
|
11
11
|
// the ImportDFP.cmake script:
|
12
12
|
#ifndef MONGOCRYPT_INTELDFP
|
13
13
|
// Notify includers that Decimal128 is not available:
|
14
|
-
#define MONGOCRYPT_HAVE_DECIMAL128_SUPPORT
|
14
|
+
#define MONGOCRYPT_HAVE_DECIMAL128_SUPPORT() false
|
15
15
|
|
16
16
|
#else // With IntelDFP:
|
17
17
|
// Tell includers that Decimal128 is okay:
|
18
|
-
#define MONGOCRYPT_HAVE_DECIMAL128_SUPPORT
|
18
|
+
#define MONGOCRYPT_HAVE_DECIMAL128_SUPPORT() true
|
19
19
|
|
20
20
|
// Include the header that declares the DFP functions, which may be macros that
|
21
21
|
// expand to renamed symbols:
|
@@ -2,7 +2,7 @@
|
|
2
2
|
|
3
3
|
#include <cstdio>
|
4
4
|
|
5
|
-
#if MONGOCRYPT_HAVE_DECIMAL128_SUPPORT
|
5
|
+
#if MONGOCRYPT_HAVE_DECIMAL128_SUPPORT()
|
6
6
|
|
7
7
|
#include <stdlib.h>
|
8
8
|
|
@@ -76,4 +76,4 @@ int main() {
|
|
76
76
|
std::puts("@@ctest-skip@@\n Decimal128 support is not enabled\n");
|
77
77
|
}
|
78
78
|
|
79
|
-
#endif
|
79
|
+
#endif
|
@@ -53,10 +53,7 @@ typedef struct {
|
|
53
53
|
* into @efc. Fields are copied from @efc_bson. It is OK to free efc_bson after
|
54
54
|
* this call. Fields are appended in reverse order to @efc->fields. Extra
|
55
55
|
* unrecognized fields are not considered an error for forward compatibility. */
|
56
|
-
bool mc_EncryptedFieldConfig_parse(mc_EncryptedFieldConfig_t *efc,
|
57
|
-
const bson_t *efc_bson,
|
58
|
-
mongocrypt_status_t *status,
|
59
|
-
bool use_range_v2);
|
56
|
+
bool mc_EncryptedFieldConfig_parse(mc_EncryptedFieldConfig_t *efc, const bson_t *efc_bson, mongocrypt_status_t *status);
|
60
57
|
|
61
58
|
void mc_EncryptedFieldConfig_cleanup(mc_EncryptedFieldConfig_t *efc);
|
62
59
|
|
@@ -51,7 +51,7 @@ _parse_supported_query_types(bson_iter_t *iter, supported_query_type_flags *out,
|
|
51
51
|
BSON_ASSERT_PARAM(iter);
|
52
52
|
BSON_ASSERT_PARAM(out);
|
53
53
|
if (!BSON_ITER_HOLDS_DOCUMENT(iter)) {
|
54
|
-
CLIENT_ERR("When parsing supported query types: Expected type document, got: %d", bson_iter_type(iter));
|
54
|
+
CLIENT_ERR("When parsing supported query types: Expected type document, got: %d", (int)bson_iter_type(iter));
|
55
55
|
return false;
|
56
56
|
}
|
57
57
|
|
@@ -66,7 +66,7 @@ _parse_supported_query_types(bson_iter_t *iter, supported_query_type_flags *out,
|
|
66
66
|
}
|
67
67
|
if (!BSON_ITER_HOLDS_UTF8(&query_type_iter)) {
|
68
68
|
CLIENT_ERR("When parsing supported query types: Expected 'queryType' to be type UTF-8, got: %d",
|
69
|
-
bson_iter_type(&query_type_iter));
|
69
|
+
(int)bson_iter_type(&query_type_iter));
|
70
70
|
return false;
|
71
71
|
}
|
72
72
|
const char *queryType = bson_iter_utf8(&query_type_iter, NULL /* length */);
|
@@ -78,8 +78,7 @@ _parse_supported_query_types(bson_iter_t *iter, supported_query_type_flags *out,
|
|
78
78
|
}
|
79
79
|
|
80
80
|
/* _parse_field parses and prepends one field document to efc->fields. */
|
81
|
-
static bool
|
82
|
-
_parse_field(mc_EncryptedFieldConfig_t *efc, bson_t *field, mongocrypt_status_t *status, bool use_range_v2) {
|
81
|
+
static bool _parse_field(mc_EncryptedFieldConfig_t *efc, bson_t *field, mongocrypt_status_t *status) {
|
83
82
|
supported_query_type_flags query_types = SUPPORTS_NO_QUERIES;
|
84
83
|
bson_iter_t field_iter;
|
85
84
|
|
@@ -91,7 +90,7 @@ _parse_field(mc_EncryptedFieldConfig_t *efc, bson_t *field, mongocrypt_status_t
|
|
91
90
|
return false;
|
92
91
|
}
|
93
92
|
if (!BSON_ITER_HOLDS_BINARY(&field_iter)) {
|
94
|
-
CLIENT_ERR("expected 'fields.keyId' to be type binary, got: %d", bson_iter_type(&field_iter));
|
93
|
+
CLIENT_ERR("expected 'fields.keyId' to be type binary, got: %d", (int)bson_iter_type(&field_iter));
|
95
94
|
return false;
|
96
95
|
}
|
97
96
|
_mongocrypt_buffer_t field_keyid;
|
@@ -106,7 +105,7 @@ _parse_field(mc_EncryptedFieldConfig_t *efc, bson_t *field, mongocrypt_status_t
|
|
106
105
|
return false;
|
107
106
|
}
|
108
107
|
if (!BSON_ITER_HOLDS_UTF8(&field_iter)) {
|
109
|
-
CLIENT_ERR("expected 'fields.path' to be type UTF-8, got: %d", bson_iter_type(&field_iter));
|
108
|
+
CLIENT_ERR("expected 'fields.path' to be type UTF-8, got: %d", (int)bson_iter_type(&field_iter));
|
110
109
|
return false;
|
111
110
|
}
|
112
111
|
field_path = bson_iter_utf8(&field_iter, NULL /* length */);
|
@@ -141,8 +140,8 @@ _parse_field(mc_EncryptedFieldConfig_t *efc, bson_t *field, mongocrypt_status_t
|
|
141
140
|
}
|
142
141
|
}
|
143
142
|
|
144
|
-
if (query_types & SUPPORTS_RANGE_PREVIEW_DEPRECATED_QUERIES
|
145
|
-
//
|
143
|
+
if (query_types & SUPPORTS_RANGE_PREVIEW_DEPRECATED_QUERIES) {
|
144
|
+
// Error if the removed "rangePreview" is included.
|
146
145
|
// This check is intended to give an easier-to-understand earlier error.
|
147
146
|
CLIENT_ERR("Cannot use field '%s' with 'rangePreview' queries. 'rangePreview' is unsupported. Use 'range' "
|
148
147
|
"instead. 'range' is not compatible with 'rangePreview' and requires recreating the collection.",
|
@@ -163,8 +162,7 @@ _parse_field(mc_EncryptedFieldConfig_t *efc, bson_t *field, mongocrypt_status_t
|
|
163
162
|
|
164
163
|
bool mc_EncryptedFieldConfig_parse(mc_EncryptedFieldConfig_t *efc,
|
165
164
|
const bson_t *efc_bson,
|
166
|
-
mongocrypt_status_t *status
|
167
|
-
bool use_range_v2) {
|
165
|
+
mongocrypt_status_t *status) {
|
168
166
|
bson_iter_t iter;
|
169
167
|
|
170
168
|
BSON_ASSERT_PARAM(efc);
|
@@ -189,7 +187,7 @@ bool mc_EncryptedFieldConfig_parse(mc_EncryptedFieldConfig_t *efc,
|
|
189
187
|
if (!mc_iter_document_as_bson(&iter, &field, status)) {
|
190
188
|
return false;
|
191
189
|
}
|
192
|
-
if (!_parse_field(efc, &field, status
|
190
|
+
if (!_parse_field(efc, &field, status)) {
|
193
191
|
return false;
|
194
192
|
}
|
195
193
|
// The first element of efc->fields contains the newly parsed field.
|
@@ -86,10 +86,7 @@ typedef struct {
|
|
86
86
|
BSON_STATIC_ASSERT2(alignof_mc_FLE2RangeFindSpec_t,
|
87
87
|
BSON_ALIGNOF(mc_FLE2RangeFindSpec_t) >= BSON_ALIGNOF(mc_FLE2RangeFindSpecEdgesInfo_t));
|
88
88
|
|
89
|
-
bool mc_FLE2RangeFindSpec_parse(mc_FLE2RangeFindSpec_t *out,
|
90
|
-
const bson_iter_t *in,
|
91
|
-
bool use_range_v2,
|
92
|
-
mongocrypt_status_t *status);
|
89
|
+
bool mc_FLE2RangeFindSpec_parse(mc_FLE2RangeFindSpec_t *out, const bson_iter_t *in, mongocrypt_status_t *status);
|
93
90
|
|
94
91
|
/** mc_FLE2RangeInsertSpec_t represents the range insert specification that is
|
95
92
|
* encoded inside of a FLE2EncryptionPlaceholder. See
|
@@ -114,10 +111,7 @@ typedef struct {
|
|
114
111
|
BSON_STATIC_ASSERT2(alignof_mc_FLE2RangeInsertSpec_t,
|
115
112
|
BSON_ALIGNOF(mc_FLE2RangeInsertSpec_t) >= BSON_ALIGNOF(bson_iter_t));
|
116
113
|
|
117
|
-
bool mc_FLE2RangeInsertSpec_parse(mc_FLE2RangeInsertSpec_t *out,
|
118
|
-
const bson_iter_t *in,
|
119
|
-
bool use_range_v2,
|
120
|
-
mongocrypt_status_t *status);
|
114
|
+
bool mc_FLE2RangeInsertSpec_parse(mc_FLE2RangeInsertSpec_t *out, const bson_iter_t *in, mongocrypt_status_t *status);
|
121
115
|
|
122
116
|
// Note: For the substring/suffix/prefix insert specs, all lengths are in terms of number of UTF-8 codepoints, not
|
123
117
|
// number of bytes.
|
@@ -131,6 +125,10 @@ typedef struct {
|
|
131
125
|
uint32_t ub;
|
132
126
|
} mc_FLE2SubstringInsertSpec_t;
|
133
127
|
|
128
|
+
bool mc_FLE2SubstringInsertSpec_parse(mc_FLE2SubstringInsertSpec_t *out,
|
129
|
+
const bson_iter_t *in,
|
130
|
+
mongocrypt_status_t *status);
|
131
|
+
|
134
132
|
/* mc_FLE2SuffixInsertSpec_t holds the parameters used to encode for suffix search. */
|
135
133
|
typedef struct {
|
136
134
|
// lb is the lower bound on the length of suffixes to be indexed.
|
@@ -139,6 +137,8 @@ typedef struct {
|
|
139
137
|
uint32_t ub;
|
140
138
|
} mc_FLE2SuffixInsertSpec_t;
|
141
139
|
|
140
|
+
bool mc_FLE2SuffixInsertSpec_parse(mc_FLE2SuffixInsertSpec_t *out, const bson_iter_t *in, mongocrypt_status_t *status);
|
141
|
+
|
142
142
|
/* mc_FLE2PrefixInsertSpec_t holds the parameters used to encode for prefix search. */
|
143
143
|
typedef struct {
|
144
144
|
// lb is the lower bound on the length of prefixes to be indexed.
|
@@ -147,6 +147,8 @@ typedef struct {
|
|
147
147
|
uint32_t ub;
|
148
148
|
} mc_FLE2PrefixInsertSpec_t;
|
149
149
|
|
150
|
+
bool mc_FLE2PrefixInsertSpec_parse(mc_FLE2PrefixInsertSpec_t *out, const bson_iter_t *in, mongocrypt_status_t *status);
|
151
|
+
|
150
152
|
/** mc_FLE2TextSearchInsertSpec_t represents the text search insert specification that is
|
151
153
|
* encoded inside of a FLE2EncryptionPlaceholder. See
|
152
154
|
* https://github.com/mongodb/mongo/blob/master/src/mongo/crypto/fle_field_schema.idl
|