RubyGems - libmongocrypt-helper - Versions diffs - 1.8.0.0.1001 → 1.11.0.0.1001 - Mend

libmongocrypt-helper 1.8.0.0.1001 → 1.11.0.0.1001

Files changed (385) hide show

data/ext/libmongocrypt/libmongocrypt/integrating.md CHANGED Viewed

@@ -18,7 +18,7 @@ The binding uses the native language\'s foreign function interface to C.
 For example, Java can accomplish this with
 [JNA](https://github.com/java-native-access/jna), CPython with
 [extensions](https://docs.python.org/3/extending/extending.html),
-NodeJS with [add-ons](https://nodejs.org/api/addons.html), etc.
+Node.js with [add-ons](https://nodejs.org/api/addons.html), etc.
 The libmongocrypt library files (.so/.dll) are pre-built on its
 [Evergreen project](https://evergreen.mongodb.com/waterfall/libmongocrypt). Click
@@ -137,6 +137,23 @@ A result from a listCollections cursor.
 auto encrypt
+#### State: `MONGOCRYPT_CTX_NEED_MONGO_COLLINFO_WITH_DB` ####
+**libmongocrypt needs**...
+Results from a listCollections cursor from a specified database.
+**Driver needs to...**
+1.  Run listCollections on the encrypted MongoClient with the filter
+    provided by `mongocrypt_ctx_mongo_op` on the database provided by `mongocrypt_ctx_mongo_db`.
+2.  Return the first result (if any) with `mongocrypt_ctx_mongo_feed` or proceed to the next step if nothing was returned.
+3.  Call `mongocrypt_ctx_mongo_done`
+**Applies to...**
+A context initialized with `mongocrypt_ctx_encrypt_init` for automatic encryption. This state is only entered when `mongocrypt_setopt_use_need_mongo_collinfo_with_db_state` is called to opt-in.
 #### State: `MONGOCRYPT_CTX_NEED_MONGO_MARKINGS` ####
 **libmongocrypt needs**...

data/ext/libmongocrypt/libmongocrypt/kms-message/CMakeLists.txt CHANGED Viewed

@@ -71,6 +71,14 @@ else()
          "KMS_MESSAGE_ENABLE_CRYPTO_LIBCRYPTO")
 endif()
+include (CheckSymbolExists)
+CHECK_SYMBOL_EXISTS (gmtime_r time.h KMS_MESSAGE_HAVE_GMTIME_R)
+if (KMS_MESSAGE_HAVE_GMTIME_R)
+   set (KMS_MESSAGE_DEFINITIONS
+         ${KMS_MESSAGE_DEFINITIONS}
+         "KMS_MESSAGE_HAVE_GMTIME_R")
+endif ()
 include (TestBigEndian)
 TEST_BIG_ENDIAN (KMS_BIG_ENDIAN)
 if (KMS_BIG_ENDIAN)
@@ -114,9 +122,9 @@ if (NOT DISABLE_NATIVE_CRYPTO)
    else()
       include (FindOpenSSL)
       target_link_libraries(kms_message "${OPENSSL_LIBRARIES}")
-      target_include_directories(kms_message PRIVATE "${OPENSSL_INCLUDE_DIR}")
+      target_include_directories(kms_message SYSTEM PRIVATE "${OPENSSL_INCLUDE_DIR}")
       target_link_libraries(kms_message_static "${OPENSSL_LIBRARIES}")
-      target_include_directories(kms_message_static PRIVATE "${OPENSSL_INCLUDE_DIR}")
+      target_include_directories(kms_message_static SYSTEM PRIVATE "${OPENSSL_INCLUDE_DIR}")
    endif()
 endif ()
@@ -259,7 +267,7 @@ if (NOT DISABLE_NATIVE_CRYPTO)
    else()
       include (FindOpenSSL)
       target_link_libraries(test_kms_request "${OPENSSL_LIBRARIES}")
-      target_include_directories(test_kms_request PRIVATE "${OPENSSL_INCLUDE_DIR}")
+      target_include_directories(test_kms_request SYSTEM PRIVATE "${OPENSSL_INCLUDE_DIR}")
    endif()
    add_test (

data/ext/libmongocrypt/libmongocrypt/kms-message/src/kms_gcp_request.c CHANGED Viewed

@@ -87,7 +87,7 @@ kms_gcp_request_oauth_new (const char *host,
       req->crypto.sign_ctx = opt->crypto.sign_ctx;
    }
-   jwt_signature = malloc (SIGNATURE_LEN);
+   jwt_signature = calloc (1, SIGNATURE_LEN);
    if (!req->crypto.sign_rsaes_pkcs1_v1_5 (
           req->crypto.sign_ctx,
           private_key_data,

data/ext/libmongocrypt/libmongocrypt/kms-message/src/kms_kmip_reader_writer.c CHANGED Viewed

@@ -178,6 +178,14 @@ kmip_writer_write_enumeration (kmip_writer_t *writer, kmip_tag_type_t tag, int32
    kmip_writer_write_u32 (writer, 0);
 }
+void kmip_writer_write_bool (kmip_writer_t *writer, kmip_tag_type_t tag, bool value)
+{
+   kmip_writer_write_tag_enum (writer, tag);
+   kmip_writer_write_u8 (writer, KMIP_ITEM_TYPE_Boolean);
+   kmip_writer_write_u32 (writer, 8);
+   kmip_writer_write_u64(writer, (uint64_t) value);
+}
 void
 kmip_writer_write_datetime (kmip_writer_t *writer, kmip_tag_type_t tag, int64_t value)
 {
@@ -384,6 +392,15 @@ kmip_reader_read_enumeration (kmip_reader_t *reader, uint32_t *enum_value)
    return kmip_reader_read_u32 (reader, &ignored);
 }
+bool
+kmip_reader_read_bool (kmip_reader_t *reader, bool *value)
+{
+   uint64_t u64;
+   CHECK_AND_RET (kmip_reader_read_u64 (reader, &u64));
+   *value = (bool) u64;
+   return true;
+}
 bool
 kmip_reader_read_integer (kmip_reader_t *reader, int32_t *value)
 {

data/ext/libmongocrypt/libmongocrypt/kms-message/src/kms_kmip_reader_writer_private.h CHANGED Viewed

@@ -59,6 +59,9 @@ kmip_writer_write_long_integer (kmip_writer_t *writer, kmip_tag_type_t tag, int6
 void
 kmip_writer_write_enumeration (kmip_writer_t *writer, kmip_tag_type_t tag, int32_t value);
+void
+kmip_writer_write_bool (kmip_writer_t *writer, kmip_tag_type_t tag, bool value);
 void
 kmip_writer_write_datetime (kmip_writer_t *writer, kmip_tag_type_t tag, int64_t value);
@@ -112,6 +115,9 @@ kmip_reader_read_type (kmip_reader_t *reader, kmip_item_type_t *type);
 bool
 kmip_reader_read_enumeration (kmip_reader_t *reader, uint32_t *enum_value);
+bool
+kmip_reader_read_bool (kmip_reader_t *reader, bool *value);
 bool
 kmip_reader_read_integer (kmip_reader_t *reader, int32_t *value);

data/ext/libmongocrypt/libmongocrypt/kms-message/src/kms_kmip_request.c CHANGED Viewed

@@ -16,6 +16,7 @@
 #include "kms_message/kms_kmip_request.h"
+#include "kms_kmip_tag_type_private.h"
 #include "kms_message_private.h"
 #include "kms_kmip_reader_writer_private.h"
@@ -181,7 +182,7 @@ kms_kmip_request_activate_new (void *reserved, const char *unique_identifer)
    kmip_writer_close_struct (writer); /* KMIP_TAG_RequestHeader */
    kmip_writer_begin_struct (writer, KMIP_TAG_BatchItem);
-   /* 0x0A == Get */
+   /* 0x12 == Activate */
    kmip_writer_write_enumeration (writer, KMIP_TAG_Operation, 0x12);
    kmip_writer_begin_struct (writer, KMIP_TAG_RequestPayload);
    kmip_writer_write_string (writer,
@@ -254,3 +255,212 @@ kms_kmip_request_get_new (void *reserved, const char *unique_identifer)
    kmip_writer_destroy (writer);
    return req;
 }
+kms_request_t *
+kms_kmip_request_create_new (void *reserved) {
+   /*
+   Create a KMIP Create request of this form:
+   <RequestMessage tag="0x420078" type="Structure">
+    <RequestHeader tag="0x420077" type="Structure">
+     <ProtocolVersion tag="0x420069" type="Structure">
+      <ProtocolVersionMajor tag="0x42006a" type="Integer" value="1"/>
+      <ProtocolVersionMinor tag="0x42006b" type="Integer" value="2"/>
+     </ProtocolVersion>
+     <BatchCount tag="0x42000d" type="Integer" value="1"/>
+    </RequestHeader>
+    <BatchItem tag="0x42000f" type="Structure">
+     <Operation tag="0x42005c" type="Enumeration" value="1"/>
+     <RequestPayload tag="0x420079" type="Structure">
+      <ObjectType tag="0x420057" type="Enumeration" value="2"/>
+      <TemplateAttribute tag="0x420091" type="Structure">
+       <Attribute tag="0x420008" type="Structure">
+        <AttributeName tag="0x42000a" type="TextString" value="Cryptographic Algorithm"/>
+        <AttributeValue tag="0x42000b" type="Enumeration" value="3"/>
+       </Attribute>
+       <Attribute tag="0x420008" type="Structure">
+        <AttributeName tag="0x42000a" type="TextString" value="Cryptographic Length"/>
+        <AttributeValue tag="0x42000b" type="Integer" value="256"/>
+       </Attribute>
+       <Attribute tag="0x420008" type="Structure">
+        <AttributeName tag="0x42000a" type="TextString" value="Cryptographic
+   Usage Mask"/> <AttributeValue tag="0x42000b" type="Integer" value="12"/>
+       </Attribute>
+      </TemplateAttribute>
+     </RequestPayload>
+    </BatchItem>
+   </RequestMessage>
+   */
+   kmip_writer_t *writer;
+   kms_request_t *req;
+   req = calloc (1, sizeof (kms_request_t));
+   req->provider = KMS_REQUEST_PROVIDER_KMIP;
+   writer = kmip_writer_new();
+   kmip_writer_begin_struct(writer, KMIP_TAG_RequestMessage);
+   kmip_writer_begin_struct (writer, KMIP_TAG_RequestHeader);
+   kmip_writer_begin_struct (writer, KMIP_TAG_ProtocolVersion);
+   kmip_writer_write_integer (writer, KMIP_TAG_ProtocolVersionMajor, 1);
+   kmip_writer_write_integer (writer, KMIP_TAG_ProtocolVersionMinor, 2);
+   kmip_writer_close_struct (writer); /* KMIP_TAG_ProtocolVersion */
+   kmip_writer_write_integer (writer, KMIP_TAG_BatchCount, 1);
+   kmip_writer_close_struct (writer); /* KMIP_TAG_RequestHeader */
+   kmip_writer_begin_struct (writer, KMIP_TAG_BatchItem);
+   /* 0x01 == Create */
+   kmip_writer_write_enumeration (writer, KMIP_TAG_Operation, 0x01);
+   kmip_writer_begin_struct (writer, KMIP_TAG_RequestPayload);
+   /* 0x02 == symmetric key */
+   kmip_writer_write_enumeration(writer, KMIP_TAG_ObjectType, 0x02);
+   {
+      kmip_writer_begin_struct (writer, KMIP_TAG_TemplateAttribute);
+      kmip_writer_begin_struct (writer, KMIP_TAG_Attribute);
+      const char *cryptographicAlgorithmStr = "Cryptographic Algorithm";
+      kmip_writer_write_string (writer,
+                                KMIP_TAG_AttributeName,
+                                cryptographicAlgorithmStr,
+                                strlen (cryptographicAlgorithmStr));
+      kmip_writer_write_enumeration (writer, KMIP_TAG_AttributeValue, 3 /* AES */);
+      kmip_writer_close_struct (writer);
+      kmip_writer_begin_struct (writer, KMIP_TAG_Attribute);
+      const char *cryptographicLengthStr = "Cryptographic Length";
+      kmip_writer_write_string (writer,
+                                KMIP_TAG_AttributeName,
+                                cryptographicLengthStr,
+                                strlen (cryptographicLengthStr));
+      kmip_writer_write_integer (writer, KMIP_TAG_AttributeValue, 256);
+      kmip_writer_close_struct (writer);
+      kmip_writer_begin_struct (writer, KMIP_TAG_Attribute);
+      const char *cryptographicUsageMaskStr = "Cryptographic Usage Mask";
+      kmip_writer_write_string (writer,
+                                KMIP_TAG_AttributeName,
+                                cryptographicUsageMaskStr,
+                                strlen (cryptographicUsageMaskStr));
+      kmip_writer_write_integer (writer, KMIP_TAG_AttributeValue, 4 | 8 /* Encrypt | Decrypt */);
+      kmip_writer_close_struct (writer);
+      kmip_writer_close_struct (writer); /* KMIP_TAG_TemplateAttribute */
+   }
+   kmip_writer_close_struct (writer); /* KMIP_TAG_RequestPayload */
+   kmip_writer_close_struct (writer); /* KMIP_TAG_BatchItem */
+   kmip_writer_close_struct (writer); /* KMIP_TAG_RequestMessage */
+   /* Copy the KMIP writer buffer to a KMIP request. */
+   copy_writer_buffer (req, writer);
+   kmip_writer_destroy (writer);
+   return req;
+}
+static kms_request_t *
+kmip_encrypt_decrypt (const char* unique_identifer, const uint8_t *data, size_t len,
+   const uint8_t *iv_data, size_t iv_len, bool encrypt) {
+   kmip_writer_t *writer;
+   kms_request_t *req;
+   req = calloc (1, sizeof (kms_request_t));
+   req->provider = KMS_REQUEST_PROVIDER_KMIP;
+   writer = kmip_writer_new();
+   kmip_writer_begin_struct(writer, KMIP_TAG_RequestMessage);
+   kmip_writer_begin_struct (writer, KMIP_TAG_RequestHeader);
+   kmip_writer_begin_struct (writer, KMIP_TAG_ProtocolVersion);
+   kmip_writer_write_integer (writer, KMIP_TAG_ProtocolVersionMajor, 1);
+   kmip_writer_write_integer (writer, KMIP_TAG_ProtocolVersionMinor, 2);
+   kmip_writer_close_struct (writer); /* KMIP_TAG_ProtocolVersion */
+   kmip_writer_write_integer (writer, KMIP_TAG_BatchCount, 1);
+   kmip_writer_close_struct (writer); /* KMIP_TAG_RequestHeader */
+   kmip_writer_begin_struct (writer, KMIP_TAG_BatchItem);
+   /* 0x1F == Encrypt, 0x20 == Decrypt*/
+   kmip_writer_write_enumeration (writer, KMIP_TAG_Operation, encrypt ? 0x1F : 0x20);
+   kmip_writer_begin_struct (writer, KMIP_TAG_RequestPayload);
+   kmip_writer_write_string (writer,
+                             KMIP_TAG_UniqueIdentifier,
+                             unique_identifer,
+                             strlen (unique_identifer));
+   kmip_writer_begin_struct (writer, KMIP_TAG_CryptographicParameters);
+   kmip_writer_write_enumeration(writer, KMIP_TAG_BlockCipherMode, 1 /* CBC */);
+   kmip_writer_write_enumeration(writer, KMIP_TAG_PaddingMethod, 3 /* PKCS5 */);
+   kmip_writer_write_enumeration(writer, KMIP_TAG_CryptographicAlgorithm, 3 /* AES */);
+   if (encrypt) kmip_writer_write_bool(writer, KMIP_TAG_RandomIV, true);
+   kmip_writer_close_struct(writer); /* KMIP_TAG_CryptographicParameters */
+   kmip_writer_write_bytes(writer, KMIP_TAG_Data, (char *) data, len);
+   if (!encrypt) kmip_writer_write_bytes(writer, KMIP_TAG_IVCounterNonce, (char *) iv_data, iv_len);
+   kmip_writer_close_struct (writer); /* KMIP_TAG_RequestPayload */
+   kmip_writer_close_struct (writer); /* KMIP_TAG_BatchItem */
+   kmip_writer_close_struct (writer); /* KMIP_TAG_RequestMessage */
+   /* Copy the KMIP writer buffer to a KMIP request. */
+   copy_writer_buffer (req, writer);
+   kmip_writer_destroy (writer);
+   return req;
+}
+kms_request_t *
+kms_kmip_request_encrypt_new (void *reserved, const char* unique_identifer, const uint8_t *plaintext, size_t len) {
+   /*
+   Create a KMIP Encrypt request of this form:
+   <RequestMessage tag="0x420078" type="Structure">
+    <RequestHeader tag="0x420077" type="Structure">
+     <ProtocolVersion tag="0x420069" type="Structure">
+      <ProtocolVersionMajor tag="0x42006a" type="Integer" value="1"/>
+      <ProtocolVersionMinor tag="0x42006b" type="Integer" value="2"/>
+     </ProtocolVersion>
+     <BatchCount tag="0x42000d" type="Integer" value="1"/>
+    </RequestHeader>
+    <BatchItem tag="0x42000f" type="Structure">
+     <Operation tag="0x42005c" type="Enumeration" value="31"/>
+     <RequestPayload tag="0x420079" type="Structure">
+      <UniqueIdentifier tag="0x420094" type="TextString" value="..."/>
+      <CryptographicParameters tag="0x42002b" type="Structure">
+       <BlockCipherMode tag="0x420011" type="Enumeration" value="1"/>
+       <PaddingMethod tag="0x42005f" type="Enumeration" value="3"/>
+       <CryptographicAlgorithm tag="0x420028" type="Enumeration" value="3"/>
+       <RandomIV tag="0x4200c5" type="Boolean" value="True"/>
+      </CryptographicParameters>
+      <Data tag="0x4200c2" type="ByteString" value="..."/>
+     </RequestPayload>
+    </BatchItem>
+   </RequestMessage>
+   */
+   return kmip_encrypt_decrypt(unique_identifer, plaintext, len, NULL, 0, true);
+}
+kms_request_t *
+kms_kmip_request_decrypt_new (void *reserved, const char* unique_identifer, const uint8_t *ciphertext, size_t len, const uint8_t *iv_data, size_t iv_len) {
+   /*
+   Create a KMIP Decrypt request of this form:
+   <RequestMessage tag="0x420078" type="Structure">
+    <RequestHeader tag="0x420077" type="Structure">
+     <ProtocolVersion tag="0x420069" type="Structure">
+      <ProtocolVersionMajor tag="0x42006a" type="Integer" value="1"/>
+      <ProtocolVersionMinor tag="0x42006b" type="Integer" value="2"/>
+     </ProtocolVersion>
+     <BatchCount tag="0x42000d" type="Integer" value="1"/>
+    </RequestHeader>
+    <BatchItem tag="0x42000f" type="Structure">
+     <Operation tag="0x42005c" type="Enumeration" value="32"/>
+     <RequestPayload tag="0x420079" type="Structure">
+      <UniqueIdentifier tag="0x420094" type="TextString" value="..."/>
+      <CryptographicParameters tag="0x42002b" type="Structure">
+       <BlockCipherMode tag="0x420011" type="Enumeration" value="1"/>
+       <PaddingMethod tag="0x42005f" type="Enumeration" value="3"/>
+       <CryptographicAlgorithm tag="0x420028" type="Enumeration" value="3"/>
+      </CryptographicParameters>
+      <Data tag="0x4200c2" type="ByteString" value="..."/>
+      <IVCounterNonce tag="0x42003d" type="ByteString" value="..."/>
+     </RequestPayload>
+    </BatchItem>
+   </RequestMessage>
+   */
+   return kmip_encrypt_decrypt(unique_identifer, ciphertext, len, iv_data, iv_len, false);
+}

data/ext/libmongocrypt/libmongocrypt/kms-message/src/kms_kmip_response.c CHANGED Viewed

@@ -1,5 +1,7 @@
 #include "kms_message/kms_kmip_response.h"
+#include "kms_kmip_item_type_private.h"
+#include "kms_kmip_tag_type_private.h"
 #include "kms_message_private.h"
 #include "kms_kmip_reader_writer_private.h"
 #include "kms_kmip_result_reason_private.h"
@@ -209,6 +211,167 @@ fail:
    return kms_request_str_detach (nullterminated);
 }
+/*
+Example of a successful response to an Encrypt request:
+<ResponseMessage tag="0x42007b" type="Structure">
+ <ResponseHeader tag="0x42007a" type="Structure">
+  <ProtocolVersion tag="0x420069" type="Structure">
+   <ProtocolVersionMajor tag="0x42006a" type="Integer" value="1"/>
+   <ProtocolVersionMinor tag="0x42006b" type="Integer" value="2"/>
+  </ProtocolVersion>
+  <TimeStamp tag="0x420092" type="DateTime" value="2021-10-12T14:09:25-0500"/>
+  <BatchCount tag="0x42000d" type="Integer" value="1"/>
+ </ResponseHeader>
+ <BatchItem tag="0x42000f" type="Structure">
+  <Operation tag="0x42005c" type="Enumeration" value="31"/>
+  <ResultStatus tag="0x42007f" type="Enumeration" value="0"/>
+  <ResponsePayload tag="0x42007c" type="Structure">
+   <UniqueIdentifier tag="0x420094" type="TextString" value="39"/>
+   <Data tag="0x4200c2" type="ByteString" value="..."/>
+   <IVCounterNonce tag="0x42003d" type="ByteString" value="..."/>
+  </ResponsePayload>
+ </BatchItem>
+</ResponseMessage>
+*/
+uint8_t *
+kms_kmip_response_get_iv (kms_response_t *res, size_t *datalen) {
+   kmip_reader_t *reader = NULL;
+   size_t pos;
+   size_t len;
+   uint8_t *data = NULL;
+   uint8_t *tmp;
+   if (!check_and_require_kmip (res)) {
+      goto fail;
+   }
+   if (!kms_kmip_response_ok (res)) {
+      goto fail;
+   }
+   reader = kmip_reader_new (res->kmip.data, res->kmip.len);
+   if (!kmip_reader_find_and_recurse (reader, KMIP_TAG_ResponseMessage)) {
+      KMS_ERROR (res,
+                 "unable to find tag: %s",
+                 kmip_tag_to_string (KMIP_TAG_ResponseMessage));
+      goto fail;
+   }
+   if (!kmip_reader_find_and_recurse (reader, KMIP_TAG_BatchItem)) {
+      KMS_ERROR (res,
+                 "unable to find tag: %s",
+                 kmip_tag_to_string (KMIP_TAG_BatchItem));
+      goto fail;
+   }
+   if (!kmip_reader_find_and_recurse (reader, KMIP_TAG_ResponsePayload)) {
+      KMS_ERROR (res,
+                 "unable to find tag: %s",
+                 kmip_tag_to_string (KMIP_TAG_ResponsePayload));
+      goto fail;
+   }
+   if (!kmip_reader_find (reader, KMIP_TAG_IVCounterNonce, KMIP_ITEM_TYPE_ByteString, &pos, &len)) {
+      KMS_ERROR (res,
+                 "unable to find tag: %s",
+                 kmip_tag_to_string (KMIP_TAG_Data));
+      goto fail;
+   }
+   if (!kmip_reader_read_bytes (reader, &tmp, len)) {
+      KMS_ERROR (res, "unable to read data bytes");
+      goto fail;
+   }
+   data = malloc (len);
+   memcpy (data, tmp, len);
+   *datalen = len;
+   fail:
+   kmip_reader_destroy (reader);
+   return data;
+}
+/*
+Example of a successful response to a Decrypt request:
+<ResponseMessage tag="0x42007b" type="Structure">
+ <ResponseHeader tag="0x42007a" type="Structure">
+  <ProtocolVersion tag="0x420069" type="Structure">
+   <ProtocolVersionMajor tag="0x42006a" type="Integer" value="1"/>
+   <ProtocolVersionMinor tag="0x42006b" type="Integer" value="2"/>
+  </ProtocolVersion>
+  <TimeStamp tag="0x420092" type="DateTime" value="2021-10-12T14:09:25-0500"/>
+  <BatchCount tag="0x42000d" type="Integer" value="1"/>
+ </ResponseHeader>
+ <BatchItem tag="0x42000f" type="Structure">
+  <Operation tag="0x42005c" type="Enumeration" value="32"/>
+  <ResultStatus tag="0x42007f" type="Enumeration" value="0"/>
+  <ResponsePayload tag="0x42007c" type="Structure">
+   <UniqueIdentifier tag="0x420094" type="TextString" value="39"/>
+   <Data tag="0x4200c2" type="ByteString" value="..."/>
+  </ResponsePayload>
+ </BatchItem>
+</ResponseMessage>
+*/
+uint8_t *
+kms_kmip_response_get_data (kms_response_t *res, size_t *datalen) {
+   kmip_reader_t *reader = NULL;
+   size_t pos;
+   size_t len;
+   uint8_t *data = NULL;
+   uint8_t *tmp;
+   if (!check_and_require_kmip (res)) {
+      goto fail;
+   }
+   if (!kms_kmip_response_ok (res)) {
+      goto fail;
+   }
+   reader = kmip_reader_new (res->kmip.data, res->kmip.len);
+   if (!kmip_reader_find_and_recurse (reader, KMIP_TAG_ResponseMessage)) {
+      KMS_ERROR (res,
+                 "unable to find tag: %s",
+                 kmip_tag_to_string (KMIP_TAG_ResponseMessage));
+      goto fail;
+   }
+   if (!kmip_reader_find_and_recurse (reader, KMIP_TAG_BatchItem)) {
+      KMS_ERROR (res,
+                 "unable to find tag: %s",
+                 kmip_tag_to_string (KMIP_TAG_BatchItem));
+      goto fail;
+   }
+   if (!kmip_reader_find_and_recurse (reader, KMIP_TAG_ResponsePayload)) {
+      KMS_ERROR (res,
+                 "unable to find tag: %s",
+                 kmip_tag_to_string (KMIP_TAG_ResponsePayload));
+      goto fail;
+   }
+   if (!kmip_reader_find (reader, KMIP_TAG_Data, KMIP_ITEM_TYPE_ByteString, &pos, &len)) {
+      KMS_ERROR (res,
+                 "unable to find tag: %s",
+                 kmip_tag_to_string (KMIP_TAG_Data));
+      goto fail;
+   }
+   if (!kmip_reader_read_bytes (reader, &tmp, len)) {
+      KMS_ERROR (res, "unable to read data bytes");
+      goto fail;
+   }
+   data = malloc (len);
+   memcpy (data, tmp, len);
+   *datalen = len;
+   fail:
+   kmip_reader_destroy (reader);
+   return data;
+}
 /*
 Example of a successful response to a Get request:
 <ResponseMessage tag="0x42007b" type="Structure">

data/ext/libmongocrypt/libmongocrypt/kms-message/src/kms_kmip_tag_type_private.h CHANGED Viewed

@@ -312,7 +312,8 @@
    KMS_X (AlwaysSensitive, 0x420121)                                                        \
    KMS_X (Extractable, 0x420122)                                                            \
    KMS_X (NeverExtractable, 0x420123)                                                       \
-   KMS_X_LAST (ReplaceExisting, 0x420124)
+   KMS_X (ReplaceExisting, 0x420124)                                                        \
+   KMS_X_LAST (Attributes, 0x420125)
 /* clang-format on */
 /* Generate an enum with each tag value. */

data/ext/libmongocrypt/libmongocrypt/kms-message/src/kms_message/kms_kmip_request.h CHANGED Viewed

@@ -51,6 +51,23 @@ kms_kmip_request_activate_new (void *reserved, const char *unique_identifier);
 KMS_MSG_EXPORT (kms_request_t *)
 kms_kmip_request_get_new (void *reserved, const char *unique_identifier);
+KMS_MSG_EXPORT (kms_request_t *)
+kms_kmip_request_create_new (void *reserved);
+KMS_MSG_EXPORT (kms_request_t *)
+kms_kmip_request_encrypt_new (void *reserved,
+                          const char *unique_identifier,
+                          const uint8_t *plaintext,
+                          size_t len);
+KMS_MSG_EXPORT (kms_request_t *)
+kms_kmip_request_decrypt_new (void *reserved,
+                          const char *unique_identifier,
+                          const uint8_t *ciphertext,
+                          size_t len,
+                          const uint8_t *iv,
+                          size_t iv_len);
 #ifdef __cplusplus
 }
 #endif

data/ext/libmongocrypt/libmongocrypt/kms-message/src/kms_message/kms_kmip_response.h CHANGED Viewed

@@ -37,4 +37,10 @@ kms_kmip_response_get_unique_identifier (kms_response_t *res);
 KMS_MSG_EXPORT (uint8_t *)
 kms_kmip_response_get_secretdata (kms_response_t *res, size_t *secretdatalen);
+KMS_MSG_EXPORT (uint8_t *)
+kms_kmip_response_get_data (kms_response_t *res, size_t *datalen);
+KMS_MSG_EXPORT (uint8_t *)
+kms_kmip_response_get_iv (kms_response_t *res, size_t *datalen);
 #endif /* KMS_KMIP_RESPONSE_H */

data/ext/libmongocrypt/libmongocrypt/kms-message/src/kms_port.c CHANGED Viewed

@@ -18,7 +18,8 @@
 #if defined(_WIN32)
 #include <stdlib.h>
 #include <string.h>
-char * kms_strndup (const char *src, size_t len)
+char *
+kms_strndup (const char *src, size_t len)
 {
    char *dst = (char *) malloc (len + 1);
    if (!dst) {
@@ -30,4 +31,4 @@ char * kms_strndup (const char *src, size_t len)
    return dst;
 }
-#endif
+#endif

data/ext/libmongocrypt/libmongocrypt/kms-message/src/kms_request.c CHANGED Viewed

@@ -181,10 +181,12 @@ kms_request_set_date (kms_request_t *request, const struct tm *tm)
       /* use current time */
       time_t t;
       time (&t);
-#ifdef _WIN32
+#if defined(KMS_MESSAGE_HAVE_GMTIME_R)
+      gmtime_r (&t, &tmp_tm);
+#elif defined(_MSC_VER)
       gmtime_s (&tmp_tm, &t);
 #else
-      gmtime_r (&t, &tmp_tm);
+      tmp_tm = *gmtime (&t);
 #endif
       tm = &tmp_tm;
    }

data/ext/libmongocrypt/libmongocrypt/kms-message/src/kms_request_str.c CHANGED Viewed

@@ -328,7 +328,7 @@ kms_request_str_append_stripped (kms_request_str_t *str,
    kms_request_str_reserve (str, appended->len);
-   // msvcrt is unhappy when it gets non-ANSI characters in isspace
+   /* msvcrt is unhappy when it gets non-ANSI characters in isspace */
    while (*src >= 0 && isspace (*src)) {
       ++src;
    }
@@ -366,7 +366,7 @@ kms_request_str_append_hashed (_kms_crypto_t *crypto,
                                kms_request_str_t *str,
                                kms_request_str_t *appended)
 {
-   uint8_t hash[32];
+   uint8_t hash[32] = {0};
    char *hex_chars;
    if (!crypto->sha256 (crypto->ctx, appended->str, appended->len, hash)) {