1 /* 2 * Copyright 2019-present MongoDB, Inc. 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 #ifndef MONGOCRYPT_CTX_PRIVATE_H 18 #define MONGOCRYPT_CTX_PRIVATE_H 19 20 #include "mongocrypt.h" 21 #include "mongocrypt-private.h" 22 #include "mongocrypt-buffer-private.h" 23 #include "mongocrypt-key-broker-private.h" 24 #include "mongocrypt-key-private.h" 25 26 typedef enum { 27 _MONGOCRYPT_TYPE_NONE, 28 _MONGOCRYPT_TYPE_ENCRYPT, 29 _MONGOCRYPT_TYPE_DECRYPT, 30 _MONGOCRYPT_TYPE_CREATE_DATA_KEY, 31 } _mongocrypt_ctx_type_t; 32 33 34 /* Option values are validated when set. 35 * Different contexts accept/require different options, 36 * validated when a context is initialized. 37 */ 38 typedef struct __mongocrypt_ctx_opts_t { 39 _mongocrypt_kms_provider_t masterkey_kms_provider; 40 char *masterkey_aws_cmk; 41 uint32_t masterkey_aws_cmk_len; 42 char *masterkey_aws_region; 43 uint32_t masterkey_aws_region_len; 44 char *masterkey_aws_endpoint; 45 uint32_t masterkey_aws_endpoint_len; 46 _mongocrypt_buffer_t key_id; 47 _mongocrypt_key_alt_name_t *key_alt_names; 48 mongocrypt_encryption_algorithm_t algorithm; 49 } _mongocrypt_ctx_opts_t; 50 51 52 /* All derived contexts may override these methods. */ 53 typedef struct { 54 bool (*mongo_op_collinfo) (mongocrypt_ctx_t *ctx, mongocrypt_binary_t *out); 55 bool (*mongo_feed_collinfo) (mongocrypt_ctx_t *ctx, mongocrypt_binary_t *in); 56 bool (*mongo_done_collinfo) (mongocrypt_ctx_t *ctx); 57 bool (*mongo_op_markings) (mongocrypt_ctx_t *ctx, mongocrypt_binary_t *out); 58 bool (*mongo_feed_markings) (mongocrypt_ctx_t *ctx, mongocrypt_binary_t *in); 59 bool (*mongo_done_markings) (mongocrypt_ctx_t *ctx); 60 bool (*mongo_op_keys) (mongocrypt_ctx_t *ctx, mongocrypt_binary_t *out); 61 bool (*mongo_feed_keys) (mongocrypt_ctx_t *ctx, mongocrypt_binary_t *in); 62 bool (*mongo_done_keys) (mongocrypt_ctx_t *ctx); 63 mongocrypt_kms_ctx_t *(*next_kms_ctx) (mongocrypt_ctx_t *ctx); 64 bool (*kms_done) (mongocrypt_ctx_t *ctx); 65 bool (*finalize) (mongocrypt_ctx_t *ctx, mongocrypt_binary_t *out); 66 void (*cleanup) (mongocrypt_ctx_t *ctx); 67 } _mongocrypt_vtable_t; 68 69 70 struct _mongocrypt_ctx_t { 71 mongocrypt_t *crypt; 72 mongocrypt_ctx_state_t state; 73 _mongocrypt_ctx_type_t type; 74 mongocrypt_status_t *status; 75 _mongocrypt_key_broker_t kb; 76 _mongocrypt_vtable_t vtable; 77 _mongocrypt_ctx_opts_t opts; 78 bool initialized; 79 bool 80 nothing_to_do; /* set to true if no encryption/decryption is required. */ 81 }; 82 83 84 /* Transition to the error state. An error status must have been set. */ 85 bool 86 _mongocrypt_ctx_fail (mongocrypt_ctx_t *ctx); 87 88 89 /* Set an error status and transition to the error state. */ 90 bool 91 _mongocrypt_ctx_fail_w_msg (mongocrypt_ctx_t *ctx, const char *msg); 92 93 94 typedef struct { 95 mongocrypt_ctx_t parent; 96 bool explicit; 97 char *coll_name; 98 char *db_name; 99 char *ns; 100 _mongocrypt_buffer_t list_collections_filter; 101 _mongocrypt_buffer_t schema; 102 /* TODO CDRIVER-3150: audit + rename these buffers. 103 * original_cmd for explicit is {v: <BSON value>}, for auto is the command to 104 * be encrypted. 105 * 106 * mongocryptd_cmd is only applicable for auto encryption. It is the original 107 * command with JSONSchema appended. 108 * 109 * marked_cmd is the value of the 'result' field in mongocryptd response 110 * 111 * encrypted_cmd is the final output, the original command encrypted, or for 112 * explicit, the {v: <ciphertext>} doc. 113 */ 114 _mongocrypt_buffer_t original_cmd; 115 _mongocrypt_buffer_t mongocryptd_cmd; 116 _mongocrypt_buffer_t marked_cmd; 117 _mongocrypt_buffer_t encrypted_cmd; 118 _mongocrypt_buffer_t key_id; 119 bool used_local_schema; 120 /* collinfo_has_siblings is true if the schema came from a remote JSON 121 * schema, and there were siblings. */ 122 bool collinfo_has_siblings; 123 } _mongocrypt_ctx_encrypt_t; 124 125 126 typedef struct { 127 mongocrypt_ctx_t parent; 128 bool explicit; 129 /* TODO CDRIVER-3150: audit + rename these buffers. 130 * Unlike ctx_encrypt, unwrapped_doc holds the binary value of the {v: 131 * <ciphertext>} doc. 132 * */ 133 _mongocrypt_buffer_t original_doc; 134 _mongocrypt_buffer_t unwrapped_doc; /* explicit only */ 135 _mongocrypt_buffer_t decrypted_doc; 136 } _mongocrypt_ctx_decrypt_t; 137 138 139 typedef struct { 140 mongocrypt_ctx_t parent; 141 mongocrypt_kms_ctx_t kms; 142 bool kms_returned; 143 _mongocrypt_buffer_t key_doc; 144 _mongocrypt_buffer_t encrypted_key_material; 145 } _mongocrypt_ctx_datakey_t; 146 147 148 /* Used for option validation. True means required. False means prohibited. */ 149 typedef enum { 150 OPT_PROHIBITED = 0, 151 OPT_REQUIRED, 152 OPT_OPTIONAL 153 } _mongocrypt_ctx_opt_spec_t; 154 typedef struct { 155 _mongocrypt_ctx_opt_spec_t masterkey; 156 _mongocrypt_ctx_opt_spec_t schema; 157 _mongocrypt_ctx_opt_spec_t key_descriptor; /* a key_id or key_alt_name */ 158 _mongocrypt_ctx_opt_spec_t key_alt_names; 159 _mongocrypt_ctx_opt_spec_t algorithm; 160 _mongocrypt_ctx_opt_spec_t endpoint; 161 } _mongocrypt_ctx_opts_spec_t; 162 163 /* Common initialization. */ 164 bool 165 _mongocrypt_ctx_init (mongocrypt_ctx_t *ctx, 166 _mongocrypt_ctx_opts_spec_t *opt_spec) 167 MONGOCRYPT_WARN_UNUSED_RESULT; 168 169 /* Set the state of the context from the state of keys in the key broker. */ 170 bool 171 _mongocrypt_ctx_state_from_key_broker (mongocrypt_ctx_t *ctx) 172 MONGOCRYPT_WARN_UNUSED_RESULT; 173 174 #endif /* MONGOCRYPT_CTX_PRIVATE_H */ 175