diff options
Diffstat (limited to 'src/third_party/kms-message/src')
40 files changed, 0 insertions, 5413 deletions
diff --git a/src/third_party/kms-message/src/hexlify.c b/src/third_party/kms-message/src/hexlify.c deleted file mode 100644 index 2d70927148c..00000000000 --- a/src/third_party/kms-message/src/hexlify.c +++ /dev/null @@ -1,67 +0,0 @@ -/* - * Copyright 2018-present MongoDB, Inc. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -#include "kms_message_private.h" -#include <stdint.h> -#include <stdio.h> -#include <stdlib.h> -#include <string.h> - -char * -hexlify (const uint8_t *buf, size_t len) -{ - char *hex_chars = malloc (len * 2 + 1); - KMS_ASSERT (hex_chars); - - char *p = hex_chars; - size_t i; - - for (i = 0; i < len; i++) { - p += sprintf (p, "%02x", buf[i]); - } - - *p = '\0'; - - return hex_chars; -} - -/* Returns -1 on error. */ -int -unhexlify (const char *in, size_t len) -{ - int i; - int byte; - int total = 0; - int multiplier = 1; - - for (i = (int) len - 1; i >= 0; i--) { - char c = *(in + i); - - if (c >= '0' && c <= '9') { - byte = c - 48; - } else if (c >= 'a' && c <= 'f') { - byte = c - 97 + 10; - } else if (c >= 'A' && c <= 'F') { - byte = c - 65 + 10; - } else { - return -1; - } - - total += byte * multiplier; - multiplier *= 16; - } - return total; -} diff --git a/src/third_party/kms-message/src/hexlify.h b/src/third_party/kms-message/src/hexlify.h deleted file mode 100644 index 60bc93ea7fc..00000000000 --- a/src/third_party/kms-message/src/hexlify.h +++ /dev/null @@ -1,24 +0,0 @@ -/* - * Copyright 2018-present MongoDB, Inc. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -#include <stdint.h> -#include <stdlib.h> - -char * -hexlify (const uint8_t *buf, size_t len); - -int -unhexlify (const char *in, size_t len);
\ No newline at end of file diff --git a/src/third_party/kms-message/src/kms_azure_request.c b/src/third_party/kms-message/src/kms_azure_request.c deleted file mode 100644 index 5ce7488ff3d..00000000000 --- a/src/third_party/kms-message/src/kms_azure_request.c +++ /dev/null @@ -1,219 +0,0 @@ -/* - * Copyright 2020-present MongoDB, Inc. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -#include "kms_message/kms_azure_request.h" - -#include "kms_message/kms_b64.h" -#include "kms_message_private.h" -#include "kms_request_opt_private.h" -#include "kms_request_str.h" - -/* - * Request has the following form: - * - * POST /{tenant ID}/oauth2/v2.0/token HTTP/1.1 - * Host: {host of identify platform URL} - * Content-Type: application/x-www-form-urlencoded - * - * client_id={client ID} - * &scope=https%3A%2F%2Fvault.azure.net%2F.default - * &client_secret={client secret} - * &grant_type=client_credentials -*/ -kms_request_t * -kms_azure_request_oauth_new (const char *host, - const char *scope, - const char *tenant_id, - const char *client_id, - const char *client_secret, - const kms_request_opt_t *opt) -{ - char *path_and_query = NULL; - char *payload = NULL; - kms_request_t *req; - kms_request_str_t *str; - - str = kms_request_str_new (); - kms_request_str_appendf (str, "/%s/oauth2/v2.0/token", tenant_id); - path_and_query = kms_request_str_detach (str); - str = kms_request_str_new (); - kms_request_str_appendf ( - str, - "client_id=%s&scope=%s&client_secret=%s&grant_type=client_credentials", - client_id, - scope, - client_secret); - payload = kms_request_str_detach (str); - - req = kms_request_new ("POST", path_and_query, opt); - - if (opt->provider != KMS_REQUEST_PROVIDER_AZURE) { - KMS_ERROR (req, "Expected KMS request with provider type: Azure"); - goto done; - } - - if (kms_request_get_error (req)) { - goto done; - } - - if (!kms_request_add_header_field ( - req, "Content-Type", "application/x-www-form-urlencoded")) { - goto done; - } - if (!kms_request_add_header_field (req, "Host", host)) { - goto done; - } - if (!kms_request_add_header_field (req, "Accept", "application/json")) { - goto done; - } - - if (!kms_request_append_payload (req, payload, strlen (payload))) { - goto done; - } - -done: - kms_request_free_string (path_and_query); - kms_request_free_string (payload); - return req; -} - -static kms_request_t * -_wrap_unwrap_common (const char *wrap_unwrap, - const char *host, - const char *access_token, - const char *key_name, - const char *key_version, - const uint8_t *value, - size_t value_len, - const kms_request_opt_t *opt) -{ - char *path_and_query = NULL; - char *payload = NULL; - char *bearer_token_value = NULL; - char *value_base64url = NULL; - kms_request_t *req; - kms_request_str_t *str; - - str = kms_request_str_new (); - /* {vaultBaseUrl}/keys/{key-name}/{key-version}/wrapkey?api-version=7.1 */ - kms_request_str_appendf (str, - "/keys/%s/%s/%s?api-version=7.1", - key_name, - key_version ? key_version : "", - wrap_unwrap); - path_and_query = kms_request_str_detach (str); - - req = kms_request_new ("POST", path_and_query, opt); - - if (opt->provider != KMS_REQUEST_PROVIDER_AZURE) { - KMS_ERROR (req, "Expected KMS request with provider type: Azure"); - goto done; - } - - if (kms_request_get_error (req)) { - goto done; - } - - value_base64url = kms_message_raw_to_b64url (value, value_len); - if (!value_base64url) { - KMS_ERROR (req, "Could not bases64url-encode plaintext"); - goto done; - } - - str = kms_request_str_new (); - kms_request_str_appendf ( - str, "{\"alg\": \"RSA-OAEP-256\", \"value\": \"%s\"}", value_base64url); - payload = kms_request_str_detach (str); - str = kms_request_str_new (); - kms_request_str_appendf (str, "Bearer %s", access_token); - bearer_token_value = kms_request_str_detach (str); - if (!kms_request_add_header_field ( - req, "Authorization", bearer_token_value)) { - goto done; - } - if (!kms_request_add_header_field ( - req, "Content-Type", "application/json")) { - goto done; - } - if (!kms_request_add_header_field (req, "Host", host)) { - goto done; - } - if (!kms_request_add_header_field (req, "Accept", "application/json")) { - goto done; - } - - if (!kms_request_append_payload (req, payload, strlen (payload))) { - goto done; - } - -done: - kms_request_free_string (path_and_query); - kms_request_free_string (payload); - kms_request_free_string (bearer_token_value); - kms_request_free_string (value_base64url); - return req; -} - -/* - * Request has the following form: - * - * POST /keys/{key-name}/{key-version}/wrapkey?api-version=7.1 - * Host: {host of key vault endpoint} - * Authentication: Bearer {token} - * Content-Type: application/json - * - * { - * "alg": "RSA-OAEP-256" - * "value": "base64url encoded data" - * } - */ -kms_request_t * -kms_azure_request_wrapkey_new (const char *host, - const char *access_token, - const char *key_name, - const char *key_version, - const uint8_t *plaintext, - size_t plaintext_len, - const kms_request_opt_t *opt) -{ - return _wrap_unwrap_common ("wrapkey", - host, - access_token, - key_name, - key_version, - plaintext, - plaintext_len, - opt); -} - -kms_request_t * -kms_azure_request_unwrapkey_new (const char *host, - const char *access_token, - const char *key_name, - const char *key_version, - const uint8_t *ciphertext, - size_t ciphertext_len, - const kms_request_opt_t *opt) -{ - return _wrap_unwrap_common ("unwrapkey", - host, - access_token, - key_name, - key_version, - ciphertext, - ciphertext_len, - opt); -}
\ No newline at end of file diff --git a/src/third_party/kms-message/src/kms_b64.c b/src/third_party/kms-message/src/kms_b64.c deleted file mode 100644 index b6800bb19f0..00000000000 --- a/src/third_party/kms-message/src/kms_b64.c +++ /dev/null @@ -1,657 +0,0 @@ -/* - * Copyright (c) 1996, 1998 by Internet Software Consortium. - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS - * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE - * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL - * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR - * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS - * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS - * SOFTWARE. - */ - -/* - * Portions Copyright (c) 1995 by International Business Machines, Inc. - * - * International Business Machines, Inc. (hereinafter called IBM) grants - * permission under its copyrights to use, copy, modify, and distribute this - * Software with or without fee, provided that the above copyright notice and - * all paragraphs of this notice appear in all copies, and that the name of IBM - * not be used in connection with the marketing of any product incorporating - * the Software or modifications thereof, without specific, written prior - * permission. - * - * To the extent it has a right to do so, IBM grants an immunity from suit - * under its patents, if any, for the use, sale or manufacture of products to - * the extent that such products are used for performing Domain Name System - * dynamic updates in TCP/IP networks by means of the Software. No immunity is - * granted for any product per se or for any other function of any product. - * - * THE SOFTWARE IS PROVIDED "AS IS", AND IBM DISCLAIMS ALL WARRANTIES, - * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A - * PARTICULAR PURPOSE. IN NO EVENT SHALL IBM BE LIABLE FOR ANY SPECIAL, - * DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER ARISING - * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE, EVEN - * IF IBM IS APPRISED OF THE POSSIBILITY OF SUCH DAMAGES. - */ - -#include <ctype.h> -#include <stdio.h> -#include <stdlib.h> -#include <string.h> - -#include "kms_message/kms_b64.h" -#include "kms_message/kms_message.h" - -#define Assert(Cond) \ - if (!(Cond)) \ - abort () - -static const char Base64[] = - "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"; -static const char Pad64 = '='; - -/* (From RFC1521 and draft-ietf-dnssec-secext-03.txt) - * The following encoding technique is taken from RFC 1521 by Borenstein - * and Freed. It is reproduced here in a slightly edited form for - * convenience. - * - * A 65-character subset of US-ASCII is used, enabling 6 bits to be - * represented per printable character. (The extra 65th character, "=", - * is used to signify a special processing function.) - * - * The encoding process represents 24-bit groups of input bits as output - * strings of 4 encoded characters. Proceeding from left to right, a - * 24-bit input group is formed by concatenating 3 8-bit input groups. - * These 24 bits are then treated as 4 concatenated 6-bit groups, each - * of which is translated into a single digit in the base64 alphabet. - * - * Each 6-bit group is used as an index into an array of 64 printable - * characters. The character referenced by the index is placed in the - * output string. - * - * Table 1: The Base64 Alphabet - * - * Value Encoding Value Encoding Value Encoding Value Encoding - * 0 A 17 R 34 i 51 z - * 1 B 18 S 35 j 52 0 - * 2 C 19 T 36 k 53 1 - * 3 D 20 U 37 l 54 2 - * 4 E 21 V 38 m 55 3 - * 5 F 22 W 39 n 56 4 - * 6 G 23 X 40 o 57 5 - * 7 H 24 Y 41 p 58 6 - * 8 I 25 Z 42 q 59 7 - * 9 J 26 a 43 r 60 8 - * 10 K 27 b 44 s 61 9 - * 11 L 28 c 45 t 62 + - * 12 M 29 d 46 u 63 / - * 13 N 30 e 47 v - * 14 O 31 f 48 w (pad) = - * 15 P 32 g 49 x - * 16 Q 33 h 50 y - * - * Special processing is performed if fewer than 24 bits are available - * at the end of the data being encoded. A full encoding quantum is - * always completed at the end of a quantity. When fewer than 24 input - * bits are available in an input group, zero bits are added (on the - * right) to form an integral number of 6-bit groups. Padding at the - * end of the data is performed using the '=' character. - * - * Since all base64 input is an integral number of octets, only the - * following cases can arise: - * - * (1) the final quantum of encoding input is an integral - * multiple of 24 bits; here, the final unit of encoded - * output will be an integral multiple of 4 characters - * with no "=" padding, - * (2) the final quantum of encoding input is exactly 8 bits; - * here, the final unit of encoded output will be two - * characters followed by two "=" padding characters, or - * (3) the final quantum of encoding input is exactly 16 bits; - * here, the final unit of encoded output will be three - * characters followed by one "=" padding character. - */ - -int -kms_message_b64_ntop (uint8_t const *src, - size_t srclength, - char *target, - size_t targsize) -{ - size_t datalength = 0; - uint8_t input[3]; - uint8_t output[4]; - size_t i; - - while (2 < srclength) { - input[0] = *src++; - input[1] = *src++; - input[2] = *src++; - srclength -= 3; - - output[0] = input[0] >> 2; - output[1] = ((input[0] & 0x03) << 4) + (input[1] >> 4); - output[2] = ((input[1] & 0x0f) << 2) + (input[2] >> 6); - output[3] = input[2] & 0x3f; - Assert (output[0] < 64); - Assert (output[1] < 64); - Assert (output[2] < 64); - Assert (output[3] < 64); - - if (datalength + 4 > targsize) { - return -1; - } - target[datalength++] = Base64[output[0]]; - target[datalength++] = Base64[output[1]]; - target[datalength++] = Base64[output[2]]; - target[datalength++] = Base64[output[3]]; - } - - /* Now we worry about padding. */ - if (0 != srclength) { - /* Get what's left. */ - input[0] = input[1] = input[2] = '\0'; - - for (i = 0; i < srclength; i++) { - input[i] = *src++; - } - output[0] = input[0] >> 2; - output[1] = ((input[0] & 0x03) << 4) + (input[1] >> 4); - output[2] = ((input[1] & 0x0f) << 2) + (input[2] >> 6); - Assert (output[0] < 64); - Assert (output[1] < 64); - Assert (output[2] < 64); - - if (datalength + 4 > targsize) { - return -1; - } - target[datalength++] = Base64[output[0]]; - target[datalength++] = Base64[output[1]]; - - if (srclength == 1) { - target[datalength++] = Pad64; - } else { - target[datalength++] = Base64[output[2]]; - } - target[datalength++] = Pad64; - } - - if (datalength >= targsize) { - return -1; - } - target[datalength] = '\0'; /* Returned value doesn't count \0. */ - return (int) datalength; -} - -/* (From RFC1521 and draft-ietf-dnssec-secext-03.txt) - The following encoding technique is taken from RFC 1521 by Borenstein - and Freed. It is reproduced here in a slightly edited form for - convenience. - - A 65-character subset of US-ASCII is used, enabling 6 bits to be - represented per printable character. (The extra 65th character, "=", - is used to signify a special processing function.) - - The encoding process represents 24-bit groups of input bits as output - strings of 4 encoded characters. Proceeding from left to right, a - 24-bit input group is formed by concatenating 3 8-bit input groups. - These 24 bits are then treated as 4 concatenated 6-bit groups, each - of which is translated into a single digit in the base64 alphabet. - - Each 6-bit group is used as an index into an array of 64 printable - characters. The character referenced by the index is placed in the - output string. - - Table 1: The Base64 Alphabet - - Value Encoding Value Encoding Value Encoding Value Encoding - 0 A 17 R 34 i 51 z - 1 B 18 S 35 j 52 0 - 2 C 19 T 36 k 53 1 - 3 D 20 U 37 l 54 2 - 4 E 21 V 38 m 55 3 - 5 F 22 W 39 n 56 4 - 6 G 23 X 40 o 57 5 - 7 H 24 Y 41 p 58 6 - 8 I 25 Z 42 q 59 7 - 9 J 26 a 43 r 60 8 - 10 K 27 b 44 s 61 9 - 11 L 28 c 45 t 62 + - 12 M 29 d 46 u 63 / - 13 N 30 e 47 v - 14 O 31 f 48 w (pad) = - 15 P 32 g 49 x - 16 Q 33 h 50 y - - Special processing is performed if fewer than 24 bits are available - at the end of the data being encoded. A full encoding quantum is - always completed at the end of a quantity. When fewer than 24 input - bits are available in an input group, zero bits are added (on the - right) to form an integral number of 6-bit groups. Padding at the - end of the data is performed using the '=' character. - - Since all base64 input is an integral number of octets, only the - following cases can arise: - - (1) the final quantum of encoding input is an integral - multiple of 24 bits; here, the final unit of encoded - output will be an integral multiple of 4 characters - with no "=" padding, - (2) the final quantum of encoding input is exactly 8 bits; - here, the final unit of encoded output will be two - characters followed by two "=" padding characters, or - (3) the final quantum of encoding input is exactly 16 bits; - here, the final unit of encoded output will be three - characters followed by one "=" padding character. - */ - -/* skips all whitespace anywhere. - converts characters, four at a time, starting at (or after) - src from base - 64 numbers into three 8 bit bytes in the target area. - it returns the number of data bytes stored at the target, or -1 on error. - */ - -static uint8_t b64rmap[256]; - -static const uint8_t b64rmap_special = 0xf0; -static const uint8_t b64rmap_end = 0xfd; -static const uint8_t b64rmap_space = 0xfe; -static const uint8_t b64rmap_invalid = 0xff; - -void -kms_message_b64_initialize_rmap (void) -{ - int i; - unsigned char ch; - - /* Null: end of string, stop parsing */ - b64rmap[0] = b64rmap_end; - - for (i = 1; i < 256; ++i) { - ch = (unsigned char) i; - /* Whitespaces */ - if (isspace (ch)) - b64rmap[i] = b64rmap_space; - /* Padding: stop parsing */ - else if (ch == Pad64) - b64rmap[i] = b64rmap_end; - /* Non-base64 char */ - else - b64rmap[i] = b64rmap_invalid; - } - - /* Fill reverse mapping for base64 chars */ - for (i = 0; Base64[i] != '\0'; ++i) - b64rmap[(uint8_t) Base64[i]] = i; -} - -static int -b64_pton_do (char const *src, uint8_t *target, size_t targsize) -{ - int tarindex, state, ch; - uint8_t ofs; - - state = 0; - tarindex = 0; - - while (1) { - ch = *src++; - ofs = b64rmap[ch]; - - if (ofs >= b64rmap_special) { - /* Ignore whitespaces */ - if (ofs == b64rmap_space) - continue; - /* End of base64 characters */ - if (ofs == b64rmap_end) - break; - /* A non-base64 character. */ - return (-1); - } - - switch (state) { - case 0: - if ((size_t) tarindex >= targsize) - return (-1); - target[tarindex] = ofs << 2; - state = 1; - break; - case 1: - if ((size_t) tarindex + 1 >= targsize) - return (-1); - target[tarindex] |= ofs >> 4; - target[tarindex + 1] = (ofs & 0x0f) << 4; - tarindex++; - state = 2; - break; - case 2: - if ((size_t) tarindex + 1 >= targsize) - return (-1); - target[tarindex] |= ofs >> 2; - target[tarindex + 1] = (ofs & 0x03) << 6; - tarindex++; - state = 3; - break; - case 3: - if ((size_t) tarindex >= targsize) - return (-1); - target[tarindex] |= ofs; - tarindex++; - state = 0; - break; - default: - abort (); - } - } - - /* - * We are done decoding Base-64 chars. Let's see if we ended - * on a byte boundary, and/or with erroneous trailing characters. - */ - - if (ch == Pad64) { /* We got a pad char. */ - ch = *src++; /* Skip it, get next. */ - switch (state) { - case 0: /* Invalid = in first position */ - case 1: /* Invalid = in second position */ - return (-1); - - case 2: /* Valid, means one byte of info */ - /* Skip any number of spaces. */ - for ((void) NULL; ch != '\0'; ch = *src++) - if (b64rmap[ch] != b64rmap_space) - break; - /* Make sure there is another trailing = sign. */ - if (ch != Pad64) - return (-1); - ch = *src++; /* Skip the = */ - /* Fall through to "single trailing =" case. */ - /* FALLTHROUGH */ - - case 3: /* Valid, means two bytes of info */ - /* - * We know this char is an =. Is there anything but - * whitespace after it? - */ - for ((void) NULL; ch != '\0'; ch = *src++) - if (b64rmap[ch] != b64rmap_space) - return (-1); - - /* - * Now make sure for cases 2 and 3 that the "extra" - * bits that slopped past the last full byte were - * zeros. If we don't check them, they become a - * subliminal channel. - */ - if (target[tarindex] != 0) - return (-1); - default: - break; - } - } else { - /* - * We ended by seeing the end of the string. Make sure we - * have no partial bytes lying around. - */ - if (state != 0) - return (-1); - } - - return (tarindex); -} - - -static int -b64_pton_len (char const *src) -{ - int tarindex, state, ch; - uint8_t ofs; - - state = 0; - tarindex = 0; - - while (1) { - ch = *src++; - ofs = b64rmap[ch]; - - if (ofs >= b64rmap_special) { - /* Ignore whitespaces */ - if (ofs == b64rmap_space) - continue; - /* End of base64 characters */ - if (ofs == b64rmap_end) - break; - /* A non-base64 character. */ - return (-1); - } - - switch (state) { - case 0: - state = 1; - break; - case 1: - tarindex++; - state = 2; - break; - case 2: - tarindex++; - state = 3; - break; - case 3: - tarindex++; - state = 0; - break; - default: - abort (); - } - } - - /* - * We are done decoding Base-64 chars. Let's see if we ended - * on a byte boundary, and/or with erroneous trailing characters. - */ - - if (ch == Pad64) { /* We got a pad char. */ - ch = *src++; /* Skip it, get next. */ - switch (state) { - case 0: /* Invalid = in first position */ - case 1: /* Invalid = in second position */ - return (-1); - - case 2: /* Valid, means one byte of info */ - /* Skip any number of spaces. */ - for ((void) NULL; ch != '\0'; ch = *src++) - if (b64rmap[ch] != b64rmap_space) - break; - /* Make sure there is another trailing = sign. */ - if (ch != Pad64) - return (-1); - ch = *src++; /* Skip the = */ - /* Fall through to "single trailing =" case. */ - /* FALLTHROUGH */ - - case 3: /* Valid, means two bytes of info */ - /* - * We know this char is an =. Is there anything but - * whitespace after it? - */ - for ((void) NULL; ch != '\0'; ch = *src++) - if (b64rmap[ch] != b64rmap_space) - return (-1); - - default: - break; - } - } else { - /* - * We ended by seeing the end of the string. Make sure we - * have no partial bytes lying around. - */ - if (state != 0) - return (-1); - } - - return (tarindex); -} - - -int -kms_message_b64_pton (char const *src, uint8_t *target, size_t targsize) -{ - if (target) - return b64_pton_do (src, target, targsize); - else - return b64_pton_len (src); -} - -int -kms_message_b64_to_b64url (const char *src, - size_t srclength, - char *target, - size_t targsize) -{ - size_t i; - - for (i = 0; i < srclength; i++) { - if (i >= targsize) { - return -1; - } - - target[i] = src[i]; - if (target[i] == '+') { - target[i] = '-'; - } else if (target[i] == '/') { - target[i] = '_'; - } - } - - /* NULL terminate if room. */ - if (i < targsize) { - target[i] = '\0'; - } - - return (int) i; -} - -int -kms_message_b64url_to_b64 (const char *src, - size_t srclength, - char *target, - size_t targsize) -{ - size_t i; - size_t boundary; - - for (i = 0; i < srclength; i++) { - if (i >= targsize) { - return -1; - } - - target[i] = src[i]; - if (target[i] == '-') { - target[i] = '+'; - } else if (target[i] == '_') { - target[i] = '/'; - } - } - - /* Pad to four byte boundary. */ - boundary = 4 * ((i + 3) / 4); - for (; i < boundary; i++) { - if (i >= targsize) { - return -1; - } - target[i] = '='; - } - - /* NULL terminate if room. */ - if (i < targsize) { - target[i] = '\0'; - } - - return (int) i; -} - -char * -kms_message_raw_to_b64 (const uint8_t *raw, size_t raw_len) -{ - char *b64; - size_t b64_len; - - b64_len = (raw_len / 3 + 1) * 4 + 1; - b64 = malloc (b64_len); - memset (b64, 0, b64_len); - if (-1 == kms_message_b64_ntop (raw, raw_len, b64, b64_len)) { - free (b64); - return NULL; - } - return b64; -} - -uint8_t * -kms_message_b64_to_raw (const char *b64, size_t *out) -{ - uint8_t *raw; - int ret; - size_t b64len; - - b64len = strlen (b64); - raw = (uint8_t *) malloc (b64len + 1); - memset (raw, 0, b64len + 1); - ret = kms_message_b64_pton (b64, raw, b64len); - if (ret > 0) { - *out = (size_t) ret; - return raw; - } - free (raw); - return NULL; -} - -char * -kms_message_raw_to_b64url (const uint8_t *raw, size_t raw_len) -{ - char *b64; - size_t b64len; - - b64 = kms_message_raw_to_b64 (raw, raw_len); - if (!b64) { - return NULL; - } - - b64len = strlen (b64); - if (-1 == kms_message_b64_to_b64url (b64, b64len, b64, b64len)) { - free (b64); - return NULL; - } - - return b64; -} - -uint8_t * -kms_message_b64url_to_raw (const char *b64url, size_t *out) -{ - char *b64; - size_t capacity; - uint8_t *raw; - size_t b64urllen; - - b64urllen = strlen(b64url); - /* Add four for padding '=' characters. */ - capacity = b64urllen + 4; - b64 = malloc (capacity); - memset (b64, 0, capacity); - if (-1 == - kms_message_b64url_to_b64 (b64url, b64urllen, b64, capacity)) { - free (b64); - return NULL; - } - raw = kms_message_b64_to_raw (b64, out); - free (b64); - return raw; -}
\ No newline at end of file diff --git a/src/third_party/kms-message/src/kms_caller_identity_request.c b/src/third_party/kms-message/src/kms_caller_identity_request.c deleted file mode 100644 index 371d2d7bad2..00000000000 --- a/src/third_party/kms-message/src/kms_caller_identity_request.c +++ /dev/null @@ -1,52 +0,0 @@ -/* - * Copyright 2019-present MongoDB, Inc. - * - * Licensed under the Apache License, Version 2.0 (the "License"){} - * - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -#include "kms_message/kms_message.h" -#include "kms_message_private.h" -#include "kms_message/kms_b64.h" -#include "kms_request_str.h" - - -kms_request_t * -kms_caller_identity_request_new (const kms_request_opt_t *opt) -{ - kms_request_t *request; - kms_request_str_t *payload = NULL; - - request = kms_request_new ("POST", "/", opt); - if (kms_request_get_error (request)) { - goto done; - } - - if (!(kms_request_add_header_field ( - request, "Content-Type", "application/x-www-form-urlencoded"))) { - goto done; - } - - payload = kms_request_str_new (); - kms_request_str_appendf (payload, - "Action=GetCallerIdentity&Version=2011-06-15"); - if (!kms_request_append_payload (request, payload->str, payload->len)) { - KMS_ERROR (request, "Could not append payload"); - goto done; - } - -done: - kms_request_str_destroy (payload); - - return request; -} diff --git a/src/third_party/kms-message/src/kms_crypto.h b/src/third_party/kms-message/src/kms_crypto.h deleted file mode 100644 index a9789451bd5..00000000000 --- a/src/third_party/kms-message/src/kms_crypto.h +++ /dev/null @@ -1,70 +0,0 @@ -/* - * Copyright 2018-present MongoDB, Inc. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -#ifndef KMS_MESSAGE_KMS_CRYPTO_H -#define KMS_MESSAGE_KMS_CRYPTO_H - -#include <stdbool.h> -#include <stdlib.h> - -typedef struct { - bool (*sha256) (void *ctx, - const char *input, - size_t len, - unsigned char *hash_out); - bool (*sha256_hmac) (void *ctx, - const char *key_input, - size_t key_len, - const char *input, - size_t len, - unsigned char *hash_out); - bool (*sign_rsaes_pkcs1_v1_5) (void *sign_ctx, - const char *private_key, - size_t private_key_len, - const char *input, - size_t input_len, - unsigned char *signature_out); - void *ctx; - void *sign_ctx; -} _kms_crypto_t; - -int -kms_crypto_init (); - -void -kms_crypto_cleanup (); - -bool -kms_sha256 (void *ctx, const char *input, size_t len, unsigned char *hash_out); - -bool -kms_sha256_hmac (void *ctx, - const char *key_input, - size_t key_len, - const char *input, - size_t len, - unsigned char *hash_out); - -/* signature_out must be a preallocated buffer of 256 bytes (or greater). */ -bool -kms_sign_rsaes_pkcs1_v1_5 (void *sign_ctx, - const char *private_key, - size_t private_key_len, - const char *input, - size_t input_len, - unsigned char *signature_out); - -#endif /* KMS_MESSAGE_KMS_CRYPTO_H */ diff --git a/src/third_party/kms-message/src/kms_crypto_apple.c b/src/third_party/kms-message/src/kms_crypto_apple.c deleted file mode 100644 index c9212f10098..00000000000 --- a/src/third_party/kms-message/src/kms_crypto_apple.c +++ /dev/null @@ -1,155 +0,0 @@ -/* - * Copyright 2018-present MongoDB, Inc. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -#include "kms_crypto.h" - -#ifdef KMS_MESSAGE_ENABLE_CRYPTO_COMMON_CRYPTO - -#include <CommonCrypto/CommonDigest.h> -#include <CommonCrypto/CommonHMAC.h> -#include <CoreFoundation/CFArray.h> -#include <Security/SecKey.h> -#include <Security/SecItem.h> -#include <Security/SecImportExport.h> - -int -kms_crypto_init () -{ - return 0; -} - -void -kms_crypto_cleanup () -{ -} - -bool -kms_sha256 (void *unused_ctx, - const char *input, - size_t len, - unsigned char *hash_out) -{ - CC_SHA256_CTX ctx; - CC_SHA256_Init (&ctx); - CC_SHA256_Update (&ctx, input, len); - CC_SHA256_Final (hash_out, &ctx); - return true; -} - -bool -kms_sha256_hmac (void *unused_ctx, - const char *key_input, - size_t key_len, - const char *input, - size_t len, - unsigned char *hash_out) -{ - CCHmac (kCCHmacAlgSHA256, key_input, key_len, input, len, hash_out); - return true; -} - -static void -safe_CFRelease (CFTypeRef ptr) -{ - if (ptr) { - CFRelease (ptr); - } -} - -bool -kms_sign_rsaes_pkcs1_v1_5 (void *unused_ctx, - const char *private_key, - size_t private_key_len, - const char *input, - size_t input_len, - unsigned char *signature_out) -{ - CFDataRef key_data_ref = NULL; - CFDataRef pass_ref = NULL; - SecItemImportExportKeyParameters import_params; - OSStatus status; - /* TODO: I think the expected format should be kSecFormatWrappedPKCS8, but - * GCP keys appear to only load for kSecFormatBSAFE. */ - SecExternalFormat format = kSecFormatUnknown; - SecExternalItemType type = kSecItemTypePrivateKey; - CFArrayRef out_ref = NULL; - SecKeyRef key_ref = NULL; - CFDataRef data_to_sign_ref = NULL; - CFErrorRef error_ref; - CFDataRef signature_ref = NULL; - bool ret = false; - - key_data_ref = CFDataCreate (NULL /* default allocator */, - (const uint8_t *) private_key, - (CFIndex) private_key_len); - if (!key_data_ref) { - goto cleanup; - } - memset (&import_params, 0, sizeof (SecItemImportExportKeyParameters)); - import_params.version = SEC_KEY_IMPORT_EXPORT_PARAMS_VERSION; - - /* Give an empty password. SecItemImport returns an error expecting a - * password. */ - pass_ref = CFDataCreate (NULL, NULL, 0); - if (!pass_ref) { - goto cleanup; - } - import_params.passphrase = (CFTypeRef) pass_ref; - - status = SecItemImport (key_data_ref, - NULL /* extension. */, - &format, - &type, - 0, - &import_params, - NULL /* keychain */, - &out_ref); - if (status != errSecSuccess) { - goto cleanup; - } - if (1 != CFArrayGetCount (out_ref)) { - goto cleanup; - } - - key_ref = (SecKeyRef) CFArrayGetValueAtIndex (out_ref, 0); - data_to_sign_ref = CFDataCreate (NULL, (const uint8_t *) input, input_len); - if (!data_to_sign_ref) { - goto cleanup; - } - error_ref = NULL; - signature_ref = - SecKeyCreateSignature (key_ref, - kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA256, - data_to_sign_ref, - &error_ref); - if (!signature_ref) { - goto cleanup; - } - memcpy (signature_out, - CFDataGetBytePtr (signature_ref), - CFDataGetLength (signature_ref)); - - ret = true; -cleanup: - safe_CFRelease (key_data_ref); - safe_CFRelease (pass_ref); - safe_CFRelease (out_ref); - safe_CFRelease (data_to_sign_ref); - safe_CFRelease (signature_ref); - return ret; -} - -#endif /* KMS_MESSAGE_ENABLE_CRYPTO_COMMON_CRYPTO */ diff --git a/src/third_party/kms-message/src/kms_crypto_libcrypto.c b/src/third_party/kms-message/src/kms_crypto_libcrypto.c deleted file mode 100644 index 52f6ef713c4..00000000000 --- a/src/third_party/kms-message/src/kms_crypto_libcrypto.c +++ /dev/null @@ -1,138 +0,0 @@ -/* - * Copyright 2018-present MongoDB, Inc. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -#include "kms_crypto.h" - -#ifdef KMS_MESSAGE_ENABLE_CRYPTO_LIBCRYPTO - -#include <openssl/sha.h> -#include <openssl/evp.h> -#include <openssl/hmac.h> - -#if OPENSSL_VERSION_NUMBER < 0x10100000L || \ - (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20700000L) -static EVP_MD_CTX * -EVP_MD_CTX_new (void) -{ - return calloc (sizeof (EVP_MD_CTX), 1); -} - -static void -EVP_MD_CTX_free (EVP_MD_CTX *ctx) -{ - EVP_MD_CTX_cleanup (ctx); - free (ctx); -} -#endif - -int -kms_crypto_init () -{ - return 0; -} - -void -kms_crypto_cleanup () -{ -} - -bool -kms_sha256 (void *unused_ctx, - const char *input, - size_t len, - unsigned char *hash_out) -{ - EVP_MD_CTX *digest_ctxp = EVP_MD_CTX_new (); - bool rval = false; - - if (1 != EVP_DigestInit_ex (digest_ctxp, EVP_sha256 (), NULL)) { - goto cleanup; - } - - if (1 != EVP_DigestUpdate (digest_ctxp, input, len)) { - goto cleanup; - } - - rval = (1 == EVP_DigestFinal_ex (digest_ctxp, hash_out, NULL)); - -cleanup: - EVP_MD_CTX_free (digest_ctxp); - - return rval; -} - -bool -kms_sha256_hmac (void *unused_ctx, - const char *key_input, - size_t key_len, - const char *input, - size_t len, - unsigned char *hash_out) -{ - return HMAC (EVP_sha256 (), - key_input, - key_len, - (unsigned char *) input, - len, - hash_out, - NULL) != NULL; -} - -bool -kms_sign_rsaes_pkcs1_v1_5 (void *unused_ctx, - const char *private_key, - size_t private_key_len, - const char *input, - size_t input_len, - unsigned char *signature_out) -{ - EVP_MD_CTX *ctx; - EVP_PKEY *pkey = NULL; - bool ret = false; - size_t signature_out_len = 256; - - ctx = EVP_MD_CTX_new (); - pkey = d2i_PrivateKey (EVP_PKEY_RSA, - NULL, - (const unsigned char **) &private_key, - private_key_len); - if (!pkey) { - goto cleanup; - } - - ret = EVP_DigestSignInit (ctx, NULL, EVP_sha256 (), NULL /* engine */, pkey); - if (ret != 1) { - goto cleanup; - } - - ret = EVP_DigestSignUpdate (ctx, input, input_len); - if (ret != 1) { - goto cleanup; - } - - ret = EVP_DigestSignFinal (ctx, signature_out, &signature_out_len); - if (ret != 1) { - goto cleanup; - } - - ret = true; -cleanup: - EVP_MD_CTX_free (ctx); - EVP_PKEY_free (pkey); - return ret; -} - -#endif /* KMS_MESSAGE_ENABLE_CRYPTO_LIBCRYPTO */ diff --git a/src/third_party/kms-message/src/kms_crypto_none.c b/src/third_party/kms-message/src/kms_crypto_none.c deleted file mode 100644 index dee69ffe0a7..00000000000 --- a/src/third_party/kms-message/src/kms_crypto_none.c +++ /dev/null @@ -1,65 +0,0 @@ -/* - * Copyright 2018-present MongoDB, Inc. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -#include "kms_crypto.h" - -#ifndef KMS_MESSAGE_ENABLE_CRYPTO - -int -kms_crypto_init () -{ - return 0; -} - -void -kms_crypto_cleanup () -{ -} - -bool -kms_sha256 (void *unused_ctx, - const char *input, - size_t len, - unsigned char *hash_out) -{ - /* only gets called if hooks were mistakenly not set */ - return false; -} - -bool -kms_sha256_hmac (void *unused_ctx, - const char *key_input, - size_t key_len, - const char *input, - size_t len, - unsigned char *hash_out) -{ - /* only gets called if hooks were mistakenly not set */ - return false; -} - -bool -kms_sign_rsaes_pkcs1_v1_5 (void *unused_ctx, - const char *private_key, - size_t private_key_len, - const char *input, - size_t input_len, - unsigned char *signature_out) { - /* only gets called if hooks were mistakenly not set */ - return false; -} - -#endif /* KMS_MESSAGE_ENABLE_CRYPTO */ diff --git a/src/third_party/kms-message/src/kms_crypto_windows.c b/src/third_party/kms-message/src/kms_crypto_windows.c deleted file mode 100644 index 5d41f7fd81f..00000000000 --- a/src/third_party/kms-message/src/kms_crypto_windows.c +++ /dev/null @@ -1,268 +0,0 @@ -/* - * Copyright 2018-present MongoDB, Inc. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -#include "kms_crypto.h" - -#ifdef KMS_MESSAGE_ENABLE_CRYPTO_CNG - -// tell windows.h not to include a bunch of headers we don't need: -#define WIN32_LEAN_AND_MEAN - -// Tell windows.h not to define any NT status codes, so that we can -// get the definitions from ntstatus.h, which has a more complete list. -#define WIN32_NO_STATUS - -#include <windows.h> - -#undef WIN32_NO_STATUS - -// Obtain a definition for the ntstatus type. -#include <winternl.h> - -// Add back in the status definitions so that macro expansions for -// things like STILL_ACTIVE and WAIT_OBJECT_O can be resolved (they -// expand to STATUS_ codes). -#include <ntstatus.h> - -#include <bcrypt.h> -#include <wincrypt.h> - -static BCRYPT_ALG_HANDLE _algoSHA256 = 0; -static BCRYPT_ALG_HANDLE _algoSHA256Hmac = 0; -static BCRYPT_ALG_HANDLE _algoRSA = 0; - -#define SHA_256_HASH_LEN 32 - -int -kms_crypto_init () -{ - if (BCryptOpenAlgorithmProvider ( - &_algoSHA256, BCRYPT_SHA256_ALGORITHM, MS_PRIMITIVE_PROVIDER, 0) != - STATUS_SUCCESS) { - return 1; - } - - if (BCryptOpenAlgorithmProvider (&_algoSHA256Hmac, - BCRYPT_SHA256_ALGORITHM, - MS_PRIMITIVE_PROVIDER, - BCRYPT_ALG_HANDLE_HMAC_FLAG) != - STATUS_SUCCESS) { - return 2; - } - - if (BCryptOpenAlgorithmProvider ( - &_algoRSA, BCRYPT_RSA_ALGORITHM, MS_PRIMITIVE_PROVIDER, 0) != - STATUS_SUCCESS) { - return 3; - } - - return 0; -} - -void -kms_crypto_cleanup () -{ - (void) BCryptCloseAlgorithmProvider (_algoSHA256, 0); - (void) BCryptCloseAlgorithmProvider (_algoSHA256Hmac, 0); - (void) BCryptCloseAlgorithmProvider (_algoRSA, 0); -} - -bool -kms_sha256 (void *unused_ctx, - const char *input, - size_t len, - unsigned char *hash_out) -{ - BCRYPT_HASH_HANDLE hHash; - - NTSTATUS status = - BCryptCreateHash (_algoSHA256, &hHash, NULL, 0, NULL, 0, 0); - if (status != STATUS_SUCCESS) { - return 0; - } - - status = BCryptHashData (hHash, (PUCHAR) (input), (ULONG) len, 0); - if (status != STATUS_SUCCESS) { - goto cleanup; - } - - // Hardcode output length - status = BCryptFinishHash (hHash, hash_out, 256 / 8, 0); - if (status != STATUS_SUCCESS) { - goto cleanup; - } - -cleanup: - (void) BCryptDestroyHash (hHash); - - return status == STATUS_SUCCESS ? 1 : 0; -} - -bool -kms_sha256_hmac (void *unused_ctx, - const char *key_input, - size_t key_len, - const char *input, - size_t len, - unsigned char *hash_out) -{ - BCRYPT_HASH_HANDLE hHash; - - NTSTATUS status = BCryptCreateHash ( - _algoSHA256Hmac, &hHash, NULL, 0, (PUCHAR) key_input, (ULONG) key_len, 0); - if (status != STATUS_SUCCESS) { - return 0; - } - - status = BCryptHashData (hHash, (PUCHAR) input, (ULONG) len, 0); - if (status != STATUS_SUCCESS) { - goto cleanup; - } - - // Hardcode output length - status = BCryptFinishHash (hHash, hash_out, 256 / 8, 0); - if (status != STATUS_SUCCESS) { - goto cleanup; - } - -cleanup: - (void) BCryptDestroyHash (hHash); - - return status == STATUS_SUCCESS ? 1 : 0; -} - -bool -kms_sign_rsaes_pkcs1_v1_5 (void *unused_ctx, - const char *private_key, - size_t private_key_len, - const char *input, - size_t input_len, - unsigned char *signature_out) -{ - bool success = false; - bool ret = false; - LPBYTE blob_private = NULL; - DWORD blob_private_len = 0; - LPBYTE raw_private = NULL; - DWORD raw_private_len = 0; - - NTSTATUS status; - BCRYPT_KEY_HANDLE hKey = NULL; - BCRYPT_PKCS1_PADDING_INFO padding_PKCS1; - - unsigned char *hash_value = NULL; - DWORD hash_length = 256; - - success = CryptDecodeObjectEx (X509_ASN_ENCODING, - PKCS_PRIVATE_KEY_INFO, - private_key, - (DWORD) private_key_len, - 0, - NULL, - NULL, - &blob_private_len); - if (!success) { - goto cleanup; - } - - blob_private = (LPBYTE) calloc (1, blob_private_len); - - success = CryptDecodeObjectEx (X509_ASN_ENCODING, - PKCS_PRIVATE_KEY_INFO, - private_key, - (DWORD) private_key_len, - 0, - NULL, - blob_private, - &blob_private_len); - if (!success) { - goto cleanup; - } - - CRYPT_PRIVATE_KEY_INFO *privateKeyInfo = - (CRYPT_PRIVATE_KEY_INFO *) blob_private; - - success = CryptDecodeObjectEx (X509_ASN_ENCODING, - PKCS_RSA_PRIVATE_KEY, - privateKeyInfo->PrivateKey.pbData, - (DWORD) privateKeyInfo->PrivateKey.cbData, - 0, - NULL, - NULL, - &raw_private_len); - if (!success) { - goto cleanup; - } - - raw_private = (LPBYTE) calloc (1, raw_private_len); - - success = CryptDecodeObjectEx (X509_ASN_ENCODING, - PKCS_RSA_PRIVATE_KEY, - privateKeyInfo->PrivateKey.pbData, - (DWORD) privateKeyInfo->PrivateKey.cbData, - 0, - NULL, - raw_private, - &raw_private_len); - if (!success) { - goto cleanup; - } - - status = BCryptImportKeyPair ( - _algoRSA, - NULL, - LEGACY_RSAPRIVATE_BLOB, - &hKey, - raw_private, - raw_private_len, - 0); - if (!NT_SUCCESS (status)) { - goto cleanup; - } - - hash_value = calloc (1, SHA_256_HASH_LEN); - - if(!kms_sha256 (NULL, input, input_len, hash_value)) { - goto cleanup; - } - - padding_PKCS1.pszAlgId = BCRYPT_SHA256_ALGORITHM; - - status = - BCryptSignHash (hKey, - &padding_PKCS1, - hash_value, - SHA_256_HASH_LEN, - signature_out, - hash_length, - &hash_length, - BCRYPT_PAD_PKCS1); - if (!NT_SUCCESS (status)) { - goto cleanup; - } - - ret = true; - -cleanup: - BCryptDestroyKey(hKey); - free (blob_private); - free (raw_private); - free (hash_value); - - return ret; -} - -#endif /* KMS_MESSAGE_ENABLE_CRYPTO_CNG */ diff --git a/src/third_party/kms-message/src/kms_decrypt_request.c b/src/third_party/kms-message/src/kms_decrypt_request.c deleted file mode 100644 index 25cbecad237..00000000000 --- a/src/third_party/kms-message/src/kms_decrypt_request.c +++ /dev/null @@ -1,72 +0,0 @@ -/* - * Copyright 2018-present MongoDB, Inc. - * - * Licensed under the Apache License, Version 2.0 (the "License"){} - * - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -#include "kms_message/kms_message.h" -#include "kms_message_private.h" -#include "kms_message/kms_b64.h" -#include "kms_request_str.h" - - -kms_request_t * -kms_decrypt_request_new (const uint8_t *ciphertext_blob, - size_t len, - const kms_request_opt_t *opt) -{ - kms_request_t *request; - size_t b64_len; - char *b64 = NULL; - kms_request_str_t *payload = NULL; - - request = kms_request_new ("POST", "/", opt); - if (kms_request_get_error (request)) { - goto done; - } - - if (!(kms_request_add_header_field ( - request, "Content-Type", "application/x-amz-json-1.1") && - kms_request_add_header_field ( - request, "X-Amz-Target", "TrentService.Decrypt"))) { - goto done; - } - - b64_len = (len / 3 + 1) * 4 + 1; - - if (!(b64 = malloc (b64_len))) { - KMS_ERROR (request, - "Could not allocate %d bytes for base64-encoding payload", - (int) b64_len); - goto done; - } - - if (kms_message_b64_ntop (ciphertext_blob, len, b64, b64_len) == -1) { - KMS_ERROR (request, "Could not base64-encode ciphertext blob"); - goto done; - } - - payload = kms_request_str_new (); - kms_request_str_appendf (payload, "{\"CiphertextBlob\": \"%s\"}", b64); - if (!kms_request_append_payload (request, payload->str, payload->len)) { - KMS_ERROR (request, "Could not append payload"); - goto done; - } - -done: - free (b64); - kms_request_str_destroy (payload); - - return request; -} diff --git a/src/third_party/kms-message/src/kms_encrypt_request.c b/src/third_party/kms-message/src/kms_encrypt_request.c deleted file mode 100644 index 3f922abc3a8..00000000000 --- a/src/third_party/kms-message/src/kms_encrypt_request.c +++ /dev/null @@ -1,73 +0,0 @@ -/* - * Copyright 2018-present MongoDB, Inc. - * - * Licensed under the Apache License, Version 2.0 (the "License"){} - * - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -#include "kms_message/kms_message.h" -#include "kms_message_private.h" -#include "kms_message/kms_b64.h" -#include "kms_request_str.h" - -kms_request_t * -kms_encrypt_request_new (const uint8_t *plaintext, - size_t plaintext_length, - const char *key_id, - const kms_request_opt_t *opt) -{ - kms_request_t *request; - size_t b64_len; - char *b64 = NULL; - kms_request_str_t *payload = NULL; - - request = kms_request_new ("POST", "/", opt); - if (kms_request_get_error (request)) { - goto done; - } - - if (!(kms_request_add_header_field ( - request, "Content-Type", "application/x-amz-json-1.1") && - kms_request_add_header_field ( - request, "X-Amz-Target", "TrentService.Encrypt"))) { - goto done; - } - - b64_len = (plaintext_length / 3 + 1) * 4 + 1; - if (!(b64 = malloc (b64_len))) { - KMS_ERROR (request, - "Could not allocate %d bytes for base64-encoding payload", - (int) b64_len); - goto done; - } - - if (kms_message_b64_ntop ( - (const uint8_t *) plaintext, plaintext_length, b64, b64_len) == -1) { - KMS_ERROR (request, "Could not base64-encode plaintext"); - goto done; - } - - payload = kms_request_str_new (); - kms_request_str_appendf ( - payload, "{\"Plaintext\": \"%s\", \"KeyId\": \"%s\"}", b64, key_id); - if (!kms_request_append_payload (request, payload->str, payload->len)) { - KMS_ERROR (request, "Could not append payload"); - goto done; - } - -done: - free (b64); - kms_request_str_destroy (payload); - - return request; -} diff --git a/src/third_party/kms-message/src/kms_gcp_request.c b/src/third_party/kms-message/src/kms_gcp_request.c deleted file mode 100644 index 564cacc6113..00000000000 --- a/src/third_party/kms-message/src/kms_gcp_request.c +++ /dev/null @@ -1,286 +0,0 @@ -/* - * Copyright 2020-present MongoDB, Inc. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -#include "kms_message/kms_gcp_request.h" - -#include "kms_message/kms_b64.h" -#include "kms_message_private.h" -#include "kms_request_opt_private.h" - -/* Set a default expiration of 5 minutes for JSON Web Tokens (GCP allows up to - * one hour) */ -#define JWT_EXPIRATION_SECS 5 * 60 -#define SIGNATURE_LEN 256 - -kms_request_t * -kms_gcp_request_oauth_new (const char *host, - const char *email, - const char *audience, - const char *scope, - const char *private_key_data, - size_t private_key_len, - const kms_request_opt_t *opt) -{ - kms_request_t *req = NULL; - kms_request_str_t *str = NULL; - time_t issued_at; - /* base64 encoding of {"alg":"RS256","typ":"JWT"} */ - const char *jwt_header_b64url = "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9"; - char *jwt_claims_b64url = NULL; - char *jwt_header_and_claims_b64url = NULL; - uint8_t *jwt_signature = NULL; - char *jwt_signature_b64url = NULL; - char *jwt_assertion_b64url = NULL; - char *payload = NULL; - - req = kms_request_new ("POST", "/token", opt); - if (opt->provider != KMS_REQUEST_PROVIDER_GCP) { - KMS_ERROR (req, "Expected KMS request with provider type: GCP"); - goto done; - } - - if (kms_request_get_error (req)) { - goto done; - } - - /* Produce the signed JWT <base64url header>.<base64url claims>.<base64url - * signature> */ - issued_at = time (NULL); - str = kms_request_str_new (); - kms_request_str_appendf (str, - "{\"iss\": \"%s\", \"aud\": \"%s\", \"scope\": " - "\"%s\", \"iat\": %lu, \"exp\": %lu}", - email, - audience, - scope, - (unsigned long) issued_at, - (unsigned long) issued_at + JWT_EXPIRATION_SECS); - jwt_claims_b64url = - kms_message_raw_to_b64url ((const uint8_t *) str->str, str->len); - kms_request_str_destroy (str); - if (!jwt_claims_b64url) { - KMS_ERROR (req, "Failed to base64url encode JWT claims"); - goto done; - } - - str = kms_request_str_new (); - kms_request_str_appendf (str, "%s.%s", jwt_header_b64url, jwt_claims_b64url); - jwt_header_and_claims_b64url = kms_request_str_detach (str); - - /* Produce the signature of <base64url header>.<base64url claims> */ - req->crypto.sign_rsaes_pkcs1_v1_5 = kms_sign_rsaes_pkcs1_v1_5; - if (opt->crypto.sign_rsaes_pkcs1_v1_5) { - req->crypto.sign_rsaes_pkcs1_v1_5 = opt->crypto.sign_rsaes_pkcs1_v1_5; - req->crypto.sign_ctx = opt->crypto.sign_ctx; - } - - jwt_signature = malloc (SIGNATURE_LEN); - if (!req->crypto.sign_rsaes_pkcs1_v1_5 ( - req->crypto.sign_ctx, - private_key_data, - private_key_len, - jwt_header_and_claims_b64url, - strlen (jwt_header_and_claims_b64url), - jwt_signature)) { - KMS_ERROR (req, "Failed to create GCP oauth request signature"); - goto done; - } - - jwt_signature_b64url = - kms_message_raw_to_b64url (jwt_signature, SIGNATURE_LEN); - if (!jwt_signature_b64url) { - KMS_ERROR (req, "Failed to base64url encode JWT signature"); - goto done; - } - str = kms_request_str_new (); - kms_request_str_appendf (str, - "%s.%s.%s", - jwt_header_b64url, - jwt_claims_b64url, - jwt_signature_b64url); - jwt_assertion_b64url = kms_request_str_detach (str); - - str = - kms_request_str_new_from_chars ("grant_type=urn%3Aietf%3Aparams%3Aoauth%" - "3Agrant-type%3Ajwt-bearer&assertion=", - -1); - kms_request_str_append_chars (str, jwt_assertion_b64url, -1); - payload = kms_request_str_detach (str); - - if (!kms_request_add_header_field ( - req, "Content-Type", "application/x-www-form-urlencoded")) { - goto done; - } - if (!kms_request_add_header_field (req, "Host", host)) { - goto done; - } - if (!kms_request_add_header_field (req, "Accept", "application/json")) { - goto done; - } - - if (!kms_request_append_payload (req, payload, strlen (payload))) { - goto done; - } - -done: - free (jwt_signature); - free (jwt_signature_b64url); - free (jwt_claims_b64url); - free (jwt_header_and_claims_b64url); - free (jwt_assertion_b64url); - free (payload); - return req; -} - -static kms_request_t * -_encrypt_decrypt_common (const char *encrypt_decrypt, - const char *host, - const char *access_token, - const char *project_id, - const char *location, - const char *key_ring_name, - const char *key_name, - const char *key_version, - const uint8_t *value, - size_t value_len, - const kms_request_opt_t *opt) -{ - char *path_and_query = NULL; - char *payload = NULL; - char *bearer_token_value = NULL; - char *value_base64 = NULL; - kms_request_t *req; - kms_request_str_t *str; - - str = kms_request_str_new (); - /* /v1/projects/{project-id}/locations/{location}/keyRings/{key-ring-name}/cryptoKeys/{key-name} - */ - kms_request_str_appendf ( - str, - "/v1/projects/%s/locations/%s/keyRings/%s/cryptoKeys/%s", - project_id, - location, - key_ring_name, - key_name); - if (key_version && strlen (key_version) > 0) { - kms_request_str_appendf (str, "/cryptoKeyVersions/%s", key_version); - } - kms_request_str_appendf (str, ":%s", encrypt_decrypt); - path_and_query = kms_request_str_detach (str); - - req = kms_request_new ("POST", path_and_query, opt); - - if (opt->provider != KMS_REQUEST_PROVIDER_GCP) { - KMS_ERROR (req, "Expected KMS request with provider type: GCP"); - goto done; - } - - if (kms_request_get_error (req)) { - goto done; - } - - value_base64 = kms_message_raw_to_b64 (value, value_len); - if (!value_base64) { - KMS_ERROR (req, "Could not bases64-encode plaintext"); - goto done; - } - - str = kms_request_str_new (); - if (0 == strcmp ("encrypt", encrypt_decrypt)) { - kms_request_str_appendf (str, "{\"plaintext\": \"%s\"}", value_base64); - } else { - kms_request_str_appendf (str, "{\"ciphertext\": \"%s\"}", value_base64); - } - - payload = kms_request_str_detach (str); - str = kms_request_str_new (); - kms_request_str_appendf (str, "Bearer %s", access_token); - bearer_token_value = kms_request_str_detach (str); - if (!kms_request_add_header_field ( - req, "Authorization", bearer_token_value)) { - goto done; - } - if (!kms_request_add_header_field ( - req, "Content-Type", "application/json")) { - goto done; - } - if (!kms_request_add_header_field (req, "Host", host)) { - goto done; - } - if (!kms_request_add_header_field (req, "Accept", "application/json")) { - goto done; - } - - if (!kms_request_append_payload (req, payload, strlen (payload))) { - goto done; - } - -done: - kms_request_free_string (path_and_query); - kms_request_free_string (payload); - kms_request_free_string (bearer_token_value); - kms_request_free_string (value_base64); - return req; -} - -kms_request_t * -kms_gcp_request_encrypt_new (const char *host, - const char *access_token, - const char *project_id, - const char *location, - const char *key_ring_name, - const char *key_name, - const char *key_version, - const uint8_t *plaintext, - size_t plaintext_len, - const kms_request_opt_t *opt) -{ - return _encrypt_decrypt_common ("encrypt", - host, - access_token, - project_id, - location, - key_ring_name, - key_name, - key_version, - plaintext, - plaintext_len, - opt); -} - -kms_request_t * -kms_gcp_request_decrypt_new (const char *host, - const char *access_token, - const char *project_id, - const char *location, - const char *key_ring_name, - const char *key_name, - const uint8_t *ciphertext, - size_t ciphertext_len, - const kms_request_opt_t *opt) -{ - return _encrypt_decrypt_common ("decrypt", - host, - access_token, - project_id, - location, - key_ring_name, - key_name, - NULL /* key_version */, - ciphertext, - ciphertext_len, - opt); -}
\ No newline at end of file diff --git a/src/third_party/kms-message/src/kms_kv_list.c b/src/third_party/kms-message/src/kms_kv_list.c deleted file mode 100644 index 0cff3dc2c64..00000000000 --- a/src/third_party/kms-message/src/kms_kv_list.c +++ /dev/null @@ -1,149 +0,0 @@ -/* - * Copyright 2018-present MongoDB, Inc. - * - * Licensed under the Apache License, Version 2.0 (the "License"){} - * - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -#include "kms_kv_list.h" -#include "kms_message/kms_message.h" -#include "kms_message_private.h" -#include "kms_request_str.h" -#include "kms_port.h" -#include "sort.h" - -static void -kv_init (kms_kv_t *kv, kms_request_str_t *key, kms_request_str_t *value) -{ - kv->key = kms_request_str_dup (key); - kv->value = kms_request_str_dup (value); -} - -static void -kv_cleanup (kms_kv_t *kv) -{ - kms_request_str_destroy (kv->key); - kms_request_str_destroy (kv->value); -} - -kms_kv_list_t * -kms_kv_list_new (void) -{ - kms_kv_list_t *lst = malloc (sizeof (kms_kv_list_t)); - KMS_ASSERT (lst); - - lst->size = 16; - lst->kvs = malloc (lst->size * sizeof (kms_kv_t)); - KMS_ASSERT (lst->kvs); - - lst->len = 0; - - return lst; -} - -void -kms_kv_list_destroy (kms_kv_list_t *lst) -{ - size_t i; - - if (!lst) { - return; - } - - for (i = 0; i < lst->len; i++) { - kv_cleanup (&lst->kvs[i]); - } - - free (lst->kvs); - free (lst); -} - -void -kms_kv_list_add (kms_kv_list_t *lst, - kms_request_str_t *key, - kms_request_str_t *value) -{ - if (lst->len == lst->size) { - lst->size *= 2; - lst->kvs = realloc (lst->kvs, lst->size * sizeof (kms_kv_t)); - KMS_ASSERT (lst->kvs); - } - - kv_init (&lst->kvs[lst->len], key, value); - ++lst->len; -} - -const kms_kv_t * -kms_kv_list_find (const kms_kv_list_t *lst, const char *key) -{ - size_t i; - - for (i = 0; i < lst->len; i++) { - if (0 == kms_strcasecmp (lst->kvs[i].key->str, key)) { - return &lst->kvs[i]; - } - } - - return NULL; -} - -void -kms_kv_list_del (kms_kv_list_t *lst, const char *key) -{ - size_t i; - - for (i = 0; i < lst->len; i++) { - if (0 == strcmp (lst->kvs[i].key->str, key)) { - kv_cleanup (&lst->kvs[i]); - memmove (&lst->kvs[i], - &lst->kvs[i + 1], - sizeof (kms_kv_t) * (lst->len - i - 1)); - lst->len--; - } - } -} - -kms_kv_list_t * -kms_kv_list_dup (const kms_kv_list_t *lst) -{ - kms_kv_list_t *dup; - size_t i; - - if (lst->len == 0) { - return kms_kv_list_new (); - } - - dup = malloc (sizeof (kms_kv_list_t)); - KMS_ASSERT (dup); - - dup->size = dup->len = lst->len; - dup->kvs = malloc (lst->len * sizeof (kms_kv_t)); - KMS_ASSERT (dup->kvs); - - - for (i = 0; i < lst->len; i++) { - kv_init (&dup->kvs[i], lst->kvs[i].key, lst->kvs[i].value); - } - - return dup; -} - - -void -kms_kv_list_sort (kms_kv_list_t *lst, int (*cmp) (const void *, const void *)) -{ - /* A stable sort is required to sort headers when creating canonical - * requests. qsort is not stable. */ - insertionsort ( - (unsigned char *) (lst->kvs), lst->len, sizeof (kms_kv_t), cmp); -} diff --git a/src/third_party/kms-message/src/kms_kv_list.h b/src/third_party/kms-message/src/kms_kv_list.h deleted file mode 100644 index 1d984d6c46d..00000000000 --- a/src/third_party/kms-message/src/kms_kv_list.h +++ /dev/null @@ -1,56 +0,0 @@ -/* - * Copyright 2018-present MongoDB, Inc. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -#ifndef KMS_KV_LIST_H -#define KMS_KV_LIST_H - -#include "kms_message/kms_message.h" -#include "kms_request_str.h" - -#include <stdbool.h> -#include <stdint.h> -#include <stdlib.h> - -/* key-value pair */ -typedef struct { - kms_request_str_t *key; - kms_request_str_t *value; -} kms_kv_t; - -typedef struct { - kms_kv_t *kvs; - size_t len; - size_t size; -} kms_kv_list_t; - -kms_kv_list_t * -kms_kv_list_new (void); -void -kms_kv_list_destroy (kms_kv_list_t *lst); -void -kms_kv_list_add (kms_kv_list_t *lst, - kms_request_str_t *key, - kms_request_str_t *value); -const kms_kv_t * -kms_kv_list_find (const kms_kv_list_t *lst, const char *key); -void -kms_kv_list_del (kms_kv_list_t *lst, const char *key); -kms_kv_list_t * -kms_kv_list_dup (const kms_kv_list_t *lst); -void -kms_kv_list_sort (kms_kv_list_t *lst, int (*cmp) (const void *, const void *)); - -#endif /* KMS_KV_LIST_H */ diff --git a/src/third_party/kms-message/src/kms_message.c b/src/third_party/kms-message/src/kms_message.c deleted file mode 100644 index 3998eabd614..00000000000 --- a/src/third_party/kms-message/src/kms_message.c +++ /dev/null @@ -1,47 +0,0 @@ -/* - * Copyright 2018-present MongoDB, Inc. - * - * Licensed under the Apache License, Version 2.0 (the "License"){} - * - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -#include "kms_message/kms_b64.h" -#include "kms_message/kms_message.h" -#include "kms_message_private.h" -#include "kms_crypto.h" - -#include <stdarg.h> -#include <stdio.h> - -void -set_error (char *error, size_t size, const char *fmt, ...) -{ - va_list va; - - va_start (va, fmt); - (void) vsnprintf (error, size, fmt, va); - va_end (va); -} - -int -kms_message_init (void) -{ - kms_message_b64_initialize_rmap (); - return kms_crypto_init (); -} - -void -kms_message_cleanup (void) -{ - kms_crypto_cleanup (); -} diff --git a/src/third_party/kms-message/src/kms_message/kms_azure_request.h b/src/third_party/kms-message/src/kms_message/kms_azure_request.h deleted file mode 100644 index 2e9af68fd03..00000000000 --- a/src/third_party/kms-message/src/kms_message/kms_azure_request.h +++ /dev/null @@ -1,110 +0,0 @@ -/* - * Copyright 2020-present MongoDB, Inc. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -#ifndef KMS_AZURE_REQUEST_H -#define KMS_AZURE_REQUEST_H - -#include "kms_message_defines.h" -#include "kms_request.h" -#include "kms_request_opt.h" - -#ifdef __cplusplus -extern "C" { -#endif - -/* Constructs an oauth client credentials grant request for Azure. - * See - * https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow#get-a-token. - * - * Parameters: - * All parameters must be NULL terminated strings. - * - host: The value of the Host header. This should be a custom host or - * "login.microsoftonline.com". - * - scope: The oauth scope. This should be a custom scope or - * "https%3A%2F%2Fvault.azure.net%2F.default". Must be URL encoded. - * - tenant_id: The Azure tenant ID. - * - client_id: The client ID to authenticate. - * - client_secret: The client secret to authenticate. - * - opt: Additional options. This must have the Azure provider set via - * kms_request_opt_set_provider. - * - * Returns: A new kms_request_t. - * Always returns a new kms_request_t, even on error. - * Caller must check if an error occurred by calling kms_request_get_error. - */ -KMS_MSG_EXPORT (kms_request_t *) -kms_azure_request_oauth_new (const char *host, - const char *scope, - const char *tenant_id, - const char *client_id, - const char *client_secret, - const kms_request_opt_t *opt); - -/* Constructs a wrapkey request for Azure. - * See https://docs.microsoft.com/en-us/rest/api/keyvault/wrapkey/wrapkey - * - * Parameters: - * All parameters must be NULL terminated strings. - * - host: The value of the Host header, like "mykeyvault.vault.azure.net". - * - access_token: The access_token obtained from an oauth response as a - * base64url encoded string. - * - key_name: The azure key name. - * - key_version: An optional key version. May be NULL or empty string. - * - plaintext: The plaintext key to encrypt. - * - plaintext_len: The number of bytes of plaintext. - * - opt: Additional options. This must have the Azure provider set via - * kms_request_opt_set_provider. - */ - -KMS_MSG_EXPORT (kms_request_t *) -kms_azure_request_wrapkey_new (const char *host, - const char *access_token, - const char *key_name, - const char *key_version, - const uint8_t *plaintext, - size_t plaintext_len, - const kms_request_opt_t *opt); - -/* Constructs an unwrapkey request for Azure. - * See https://docs.microsoft.com/en-us/rest/api/keyvault/unwrapkey/unwrapkey - * - * Parameters: - * All parameters must be NULL terminated strings. - * - host: The value of the Host header, like "mykeyvault.vault.azure.net". - * - access_token: The access_token obtained from an oauth response as a - * base64url encoded string. - * - key_name: The azure key name. - * - key_version: An optional key version. May be NULL or empty string. - * - ciphertext: The ciphertext key to decrypt. - * - ciphertext_len: The number of bytes of ciphertext. - * - opt: Additional options. This must have the Azure provider set via - * kms_request_opt_set_provider. - */ - -KMS_MSG_EXPORT (kms_request_t *) -kms_azure_request_unwrapkey_new (const char *host, - const char *access_token, - const char *key_name, - const char *key_version, - const uint8_t *ciphertext, - size_t ciphertext_len, - const kms_request_opt_t *opt); - -#ifdef __cplusplus -} /* extern "C" */ -#endif - -#endif /* KMS_AZURE_REQUEST_H */ diff --git a/src/third_party/kms-message/src/kms_message/kms_b64.h b/src/third_party/kms-message/src/kms_message/kms_b64.h deleted file mode 100644 index f0845cd331e..00000000000 --- a/src/third_party/kms-message/src/kms_message/kms_b64.h +++ /dev/null @@ -1,70 +0,0 @@ -/* - * Copyright 2018-present MongoDB Inc. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -#ifndef KMS_MESSAGE_B64_H -#define KMS_MESSAGE_B64_H - -#include "kms_message.h" - -#include <stddef.h> -#include <stdint.h> - -#ifdef __cplusplus -extern "C" { -#endif - -KMS_MSG_EXPORT (void) -kms_message_b64_initialize_rmap (void); - -KMS_MSG_EXPORT (int) -kms_message_b64_ntop (uint8_t const *src, - size_t srclength, - char *target, - size_t targsize); - -KMS_MSG_EXPORT (int) -kms_message_b64_pton (char const *src, uint8_t *target, size_t targsize); - -/* src and target may be the same string. Assumes no whitespace in src. */ -KMS_MSG_EXPORT (int) -kms_message_b64_to_b64url (const char *src, - size_t srclength, - char *target, - size_t targsize); -KMS_MSG_EXPORT (int) -kms_message_b64url_to_b64 (const char *src, - size_t srclength, - char *target, - size_t targsize); - -/* Convenience conversions which return copies. */ -char * -kms_message_raw_to_b64 (const uint8_t *raw, size_t raw_len); - -uint8_t * -kms_message_b64_to_raw (const char *b64, size_t *out); - -char * -kms_message_raw_to_b64url (const uint8_t *raw, size_t raw_len); - -uint8_t * -kms_message_b64url_to_raw (const char *b64url, size_t *out); - -#ifdef __cplusplus -} /* extern "C" */ -#endif - -#endif /* KMS_MESSAGE_B64_H */ diff --git a/src/third_party/kms-message/src/kms_message/kms_caller_identity_request.h b/src/third_party/kms-message/src/kms_message/kms_caller_identity_request.h deleted file mode 100644 index 9f48e534235..00000000000 --- a/src/third_party/kms-message/src/kms_message/kms_caller_identity_request.h +++ /dev/null @@ -1,36 +0,0 @@ -/* - * Copyright 2019-present MongoDB, Inc. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -#ifndef KMS_CALLER_IDENTITY_REQUEST_H -#define KMS_CALLER_IDENTITY_REQUEST_H - -#include "kms_message_defines.h" -#include "kms_request.h" -#include "kms_request_opt.h" - -#ifdef __cplusplus -extern "C" { -#endif - -KMS_MSG_EXPORT (kms_request_t *) -kms_caller_identity_request_new (const kms_request_opt_t *opt); - -#ifdef __cplusplus -} /* extern "C" */ -#endif - - -#endif /* KMS_CALLER_IDENTITY_REQUEST_H */ diff --git a/src/third_party/kms-message/src/kms_message/kms_decrypt_request.h b/src/third_party/kms-message/src/kms_message/kms_decrypt_request.h deleted file mode 100644 index db18d5f5e1c..00000000000 --- a/src/third_party/kms-message/src/kms_message/kms_decrypt_request.h +++ /dev/null @@ -1,37 +0,0 @@ -/* - * Copyright 2018-present MongoDB, Inc. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -#ifndef KMS_DECRYPT_REQUEST_H -#define KMS_DECRYPT_REQUEST_H - -#include "kms_message_defines.h" -#include "kms_request.h" -#include "kms_request_opt.h" - -#ifdef __cplusplus -extern "C" { -#endif - -KMS_MSG_EXPORT (kms_request_t *) -kms_decrypt_request_new (const uint8_t *ciphertext_blob, - size_t len, - const kms_request_opt_t *opt); - -#ifdef __cplusplus -} /* extern "C" */ -#endif - -#endif /* KMS_DECRYPT_REQUEST_H */ diff --git a/src/third_party/kms-message/src/kms_message/kms_encrypt_request.h b/src/third_party/kms-message/src/kms_message/kms_encrypt_request.h deleted file mode 100644 index 601ee36297f..00000000000 --- a/src/third_party/kms-message/src/kms_message/kms_encrypt_request.h +++ /dev/null @@ -1,39 +0,0 @@ -/* - * Copyright 2018-present MongoDB, Inc. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -#ifndef KMS_ENCRYPT_REQUEST_H -#define KMS_ENCRYPT_REQUEST_H - -#include "kms_message_defines.h" -#include "kms_request.h" -#include "kms_request_opt.h" - -#ifdef __cplusplus -extern "C" { -#endif - -KMS_MSG_EXPORT (kms_request_t *) -kms_encrypt_request_new (const uint8_t *plaintext, - size_t plaintext_length, - const char *key_id, - const kms_request_opt_t *opt); - -#ifdef __cplusplus -} /* extern "C" */ -#endif - - -#endif /* KMS_ENCRYPT_REQUEST_H */ diff --git a/src/third_party/kms-message/src/kms_message/kms_gcp_request.h b/src/third_party/kms-message/src/kms_message/kms_gcp_request.h deleted file mode 100644 index 1d1555fb0c6..00000000000 --- a/src/third_party/kms-message/src/kms_message/kms_gcp_request.h +++ /dev/null @@ -1,124 +0,0 @@ -/* - * Copyright 2020-present MongoDB, Inc. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -#ifndef KMS_GCP_REQUEST_H -#define KMS_GCP_REQUEST_H - -#include "kms_message_defines.h" -#include "kms_request.h" -#include "kms_request_opt.h" - -#ifdef __cplusplus -extern "C" { -#endif - -/* Constructs an oauth client credentials request for GCP. - * See https://developers.google.com/identity/protocols/oauth2/service-account - * - * Parameters: - * - host: The host header, like "oauth2.googleapis.com". - * - email: The email for the service account to authenticate. - * - audience: The "aud" field in the JSON Web Token (JWT). Should be a URL - * like "https://oauth2.googleapis.com/token" - * - scope: The "scope" field in the JSON Web Token (JWT). Should be a URL - * like "https://www.googleapis.com/auth/cloudkms". - * - private_key_data: Bytes pointing to a PKCS#8 private key. - * - private_key_len: The length of private_key_data. - * - opt: Request options. The provider must be set to KMS_REQUEST_PROVIDER_GCP - * with kms_request_opt_set_provider. Callers that want to use a custom crypto - * callback to sign the request should set the callback on opt with - * kms_request_opt_set_crypto_hook_rsaes_pkcs1_v1_5. - * - * Returns: A new kms_request_t. - * Always returns a new kms_request_t, even on error. - * Caller must check if an error occurred by calling kms_request_get_error. - */ -KMS_MSG_EXPORT (kms_request_t *) -kms_gcp_request_oauth_new (const char *host, - const char *email, - const char *audience, - const char *scope, - const char *private_key_data, - size_t private_key_len, - const kms_request_opt_t *opt); - -/* Constructs the encrypt request for GCP. - * See - * https://cloud.google.com/kms/docs/encrypt-decrypt#kms-encrypt-symmetric-api - * - * Parameters: - * - host: The value of the Host header, like "cloudkms.googleapis.com". - * - project_id: The project id. - * - location: The location id, like "global". - * - key_ring_name: The key ring name. - * - key_name: The key name. - * - key_version: The optional key version. May be NULL. - * - plaintext: The plaintext key to encrypt. - * - plaintext_len: The number of bytes of plaintext. - * - opt: Request options. The provider must be set to KMS_REQUEST_PROVIDER_GCP - * with kms_request_opt_set_provider. - * - * Returns: A new kms_request_t. - * Always returns a new kms_request_t, even on error. - * Caller must check if an error occurred by calling kms_request_get_error. - */ -KMS_MSG_EXPORT (kms_request_t *) -kms_gcp_request_encrypt_new (const char *host, - const char *access_token, - const char *project_id, - const char *location, - const char *key_ring_name, - const char *key_name, - const char *key_version, - const uint8_t *plaintext, - size_t plaintext_len, - const kms_request_opt_t *opt); - -/* Constructs the decrypt request for GCP. - * See - * https://cloud.google.com/kms/docs/encrypt-decrypt#kms-decrypt-symmetric-api - * - * Parameters: - * - host: The value of the Host header, like "cloudkms.googleapis.com". - * - project_id: The project id. - * - location: The location id, like "global". - * - key_ring_name: The key ring name. - * - key_name: The key name. - * - ciphertext: The ciphertext key to encrypt. - * - ciphertext_len: The number of bytes of ciphertext. - * - opt: Request options. The provider must be set to KMS_REQUEST_PROVIDER_GCP - * with kms_request_opt_set_provider. - * - * Returns: A new kms_request_t. - * Always returns a new kms_request_t, even on error. - * Caller must check if an error occurred by calling kms_request_get_error. - */ -KMS_MSG_EXPORT (kms_request_t *) -kms_gcp_request_decrypt_new (const char *host, - const char *access_token, - const char *project_id, - const char *location, - const char *key_ring_name, - const char *key_name, - const uint8_t *ciphertext, - size_t ciphertext_len, - const kms_request_opt_t *opt); - -#ifdef __cplusplus -} /* extern "C" */ -#endif - -#endif /* KMS_GCP_REQUEST_H */ diff --git a/src/third_party/kms-message/src/kms_message/kms_message.h b/src/third_party/kms-message/src/kms_message/kms_message.h deleted file mode 100644 index 8048528f2e0..00000000000 --- a/src/third_party/kms-message/src/kms_message/kms_message.h +++ /dev/null @@ -1,31 +0,0 @@ -/* - * Copyright 2018-present MongoDB, Inc. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -#ifndef KMS_MESSAGE_H -#define KMS_MESSAGE_H - -#include <sys/types.h> - -#include "kms_message_defines.h" -#include "kms_request_opt.h" -#include "kms_request.h" -#include "kms_response.h" -#include "kms_response_parser.h" -#include "kms_caller_identity_request.h" -#include "kms_decrypt_request.h" -#include "kms_encrypt_request.h" - -#endif /* KMS_MESSAGE_H */ diff --git a/src/third_party/kms-message/src/kms_message/kms_message_defines.h b/src/third_party/kms-message/src/kms_message/kms_message_defines.h deleted file mode 100644 index a539d531ef6..00000000000 --- a/src/third_party/kms-message/src/kms_message/kms_message_defines.h +++ /dev/null @@ -1,66 +0,0 @@ -/* - * Copyright 2018-present MongoDB, Inc. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -#ifndef KMS_MESSAGE_DEFINES_H -#define KMS_MESSAGE_DEFINES_H - - -#ifdef _MSC_VER -#ifdef KMS_MSG_STATIC -#define KMS_MSG_API -#elif defined(KMS_MSG_COMPILATION) -#define KMS_MSG_API __declspec(dllexport) -#else -#define KMS_MSG_API __declspec(dllimport) -#endif -#define KMS_MSG_CALL __cdecl -#elif defined(__GNUC__) -#ifdef KMS_MSG_STATIC -#define KMS_MSG_API -#elif defined(KMS_MSG_COMPILATION) -#define KMS_MSG_API __attribute__ ((visibility ("default"))) -#else -#define KMS_MSG_API -#endif -#define KMS_MSG_CALL -#endif - -#define KMS_MSG_EXPORT(type) KMS_MSG_API type KMS_MSG_CALL - -#ifdef __cplusplus -extern "C" { -#endif - -KMS_MSG_EXPORT (int) -kms_message_init (void); -KMS_MSG_EXPORT (void) -kms_message_cleanup (void); - -#ifdef __cplusplus -} /* extern "C" */ -#endif - -#ifdef _MSC_VER -#include <basetsd.h> -#pragma warning(disable : 4142) -#ifndef _SSIZE_T_DEFINED -#define _SSIZE_T_DEFINED -typedef SSIZE_T ssize_t; -#endif -#pragma warning(default : 4142) -#endif - -#endif /* KMS_MESSAGE_DEFINES_H */ diff --git a/src/third_party/kms-message/src/kms_message/kms_request.h b/src/third_party/kms-message/src/kms_message/kms_request.h deleted file mode 100644 index 0428c813491..00000000000 --- a/src/third_party/kms-message/src/kms_message/kms_request.h +++ /dev/null @@ -1,98 +0,0 @@ -/* - * Copyright 2018-present MongoDB, Inc. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -#ifndef KMS_REQUEST_H -#define KMS_REQUEST_H - -#include "kms_message_defines.h" -#include "kms_request_opt.h" - -#include <stdbool.h> -#include <stdint.h> -#include <stdlib.h> -#include <time.h> - -#ifdef __cplusplus -extern "C" { -#endif - -/* A KMS request is general enough to create arbitrary HTTP requests, but also - * supports generating AWS signature v4. */ -typedef struct _kms_request_t kms_request_t; - -KMS_MSG_EXPORT (kms_request_t *) -kms_request_new (const char *method, - const char *path_and_query, - const kms_request_opt_t *opt); -KMS_MSG_EXPORT (void) -kms_request_destroy (kms_request_t *request); -KMS_MSG_EXPORT (const char *) -kms_request_get_error (kms_request_t *request); - -/* Begin: AWS specific */ -KMS_MSG_EXPORT (bool) -kms_request_set_date (kms_request_t *request, const struct tm *tm); -KMS_MSG_EXPORT (bool) -kms_request_set_region (kms_request_t *request, const char *region); -KMS_MSG_EXPORT (bool) -kms_request_set_service (kms_request_t *request, const char *service); -KMS_MSG_EXPORT (bool) -kms_request_set_access_key_id (kms_request_t *request, const char *akid); -KMS_MSG_EXPORT (bool) -kms_request_set_secret_key (kms_request_t *request, const char *key); -/* End: AWS specific */ - -KMS_MSG_EXPORT (bool) -kms_request_add_header_field (kms_request_t *request, - const char *field_name, - const char *value); -KMS_MSG_EXPORT (bool) -kms_request_append_header_field_value (kms_request_t *request, - const char *value, - size_t len); -KMS_MSG_EXPORT (bool) -kms_request_append_payload (kms_request_t *request, - const char *payload, - size_t len); - -/* Begin: AWS specific */ -KMS_MSG_EXPORT (char *) -kms_request_get_canonical (kms_request_t *request); - -KMS_MSG_EXPORT (const char *) -kms_request_get_canonical_header (kms_request_t *request, const char *header); - -KMS_MSG_EXPORT (char *) -kms_request_get_string_to_sign (kms_request_t *request); -KMS_MSG_EXPORT (bool) -kms_request_get_signing_key (kms_request_t *request, unsigned char *key); -KMS_MSG_EXPORT (char *) -kms_request_get_signature (kms_request_t *request); -KMS_MSG_EXPORT (char *) -kms_request_get_signed (kms_request_t *request); -/* End: AWS specific */ - -KMS_MSG_EXPORT (void) -kms_request_free_string (char *ptr); - -/* Finalize and obtain a plain HTTP request (no signing). */ -KMS_MSG_EXPORT (char *) kms_request_to_string (kms_request_t *request); - -#ifdef __cplusplus -} /* extern "C" */ -#endif - -#endif /* KMS_REQUEST_H */ diff --git a/src/third_party/kms-message/src/kms_message/kms_request_opt.h b/src/third_party/kms-message/src/kms_message/kms_request_opt.h deleted file mode 100644 index 74a3fb69771..00000000000 --- a/src/third_party/kms-message/src/kms_message/kms_request_opt.h +++ /dev/null @@ -1,79 +0,0 @@ -/* - * Copyright 2018-present MongoDB, Inc. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -#ifndef KMS_REQUEST_OPT_H -#define KMS_REQUEST_OPT_H - -#include "kms_message_defines.h" - -#include <stdbool.h> -#include <stdlib.h> - -#ifdef __cplusplus -extern "C" { -#endif - -typedef struct _kms_request_opt_t kms_request_opt_t; - -typedef size_t kms_request_provider_t; - -#define KMS_REQUEST_PROVIDER_AWS 0 -#define KMS_REQUEST_PROVIDER_AZURE 1 -#define KMS_REQUEST_PROVIDER_GCP 2 - -KMS_MSG_EXPORT (kms_request_opt_t *) -kms_request_opt_new (void); - -/* The default provider is AWS. This will automatically set extra headers. - * Returns false if provider is invalid. */ -KMS_MSG_EXPORT (bool) -kms_request_opt_set_provider (kms_request_opt_t *opt, - kms_request_provider_t provider); -KMS_MSG_EXPORT (void) -kms_request_opt_destroy (kms_request_opt_t *request); -KMS_MSG_EXPORT (void) -kms_request_opt_set_connection_close (kms_request_opt_t *opt, - bool connection_close); - -KMS_MSG_EXPORT (void) -kms_request_opt_set_crypto_hooks (kms_request_opt_t *opt, - bool (*sha256) (void *ctx, - const char *input, - size_t len, - unsigned char *hash_out), - bool (*sha256_hmac) (void *ctx, - const char *key_input, - size_t key_len, - const char *input, - size_t len, - unsigned char *hash_out), - void *ctx); - -KMS_MSG_EXPORT (void) -kms_request_opt_set_crypto_hook_sign_rsaes_pkcs1_v1_5 ( - kms_request_opt_t *opt, - bool (*sign_rsaes_pkcs1_v1_5) (void *ctx, - const char *private_key, - size_t private_key_len, - const char *input, - size_t input_len, - unsigned char *signature_out), - void *ctx); -#ifdef __cplusplus -} /* extern "C" */ -#endif - -#endif /* KMS_REQUEST_OPT_H */ diff --git a/src/third_party/kms-message/src/kms_message/kms_response.h b/src/third_party/kms-message/src/kms_message/kms_response.h deleted file mode 100644 index d270f248826..00000000000 --- a/src/third_party/kms-message/src/kms_message/kms_response.h +++ /dev/null @@ -1,40 +0,0 @@ -/* - * Copyright 2018-present MongoDB, Inc. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -#ifndef KMS_RESPONSE_H -#define KMS_RESPONSE_H - -#include "kms_message_defines.h" - -#include <sys/types.h> - -#ifdef __cplusplus -extern "C" { -#endif - -typedef struct _kms_response_t kms_response_t; - -KMS_MSG_EXPORT (int) -kms_response_get_status (kms_response_t *response); -KMS_MSG_EXPORT (const char *) -kms_response_get_body (kms_response_t *response, size_t *len); -KMS_MSG_EXPORT (void) kms_response_destroy (kms_response_t *response); - -#ifdef __cplusplus -} /* extern "C" */ -#endif - -#endif /* KMS_RESPONSE_H */ diff --git a/src/third_party/kms-message/src/kms_message/kms_response_parser.h b/src/third_party/kms-message/src/kms_message/kms_response_parser.h deleted file mode 100644 index 0bdf0809a00..00000000000 --- a/src/third_party/kms-message/src/kms_message/kms_response_parser.h +++ /dev/null @@ -1,60 +0,0 @@ -/* - * Copyright 2018-present MongoDB, Inc. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -#ifndef KMS_RESPONSE_PARSER_H -#define KMS_RESPONSE_PARSER_H - -#include "kms_message_defines.h" -#include "kms_response.h" - -#include <sys/types.h> -#include <stdbool.h> -#include <stdint.h> - -#ifdef __cplusplus -extern "C" { -#endif - -typedef struct _kms_response_parser_t kms_response_parser_t; - -KMS_MSG_EXPORT (kms_response_parser_t *) -kms_response_parser_new (void); - -KMS_MSG_EXPORT (int) -kms_response_parser_wants_bytes (kms_response_parser_t *parser, int32_t max); - -KMS_MSG_EXPORT (bool) -kms_response_parser_feed (kms_response_parser_t *parser, - uint8_t *buf, - uint32_t len); - -KMS_MSG_EXPORT (kms_response_t *) -kms_response_parser_get_response (kms_response_parser_t *parser); - -KMS_MSG_EXPORT (int) -kms_response_parser_status (kms_response_parser_t *parser); - -KMS_MSG_EXPORT (const char *) -kms_response_parser_error (kms_response_parser_t *parser); - -KMS_MSG_EXPORT (void) -kms_response_parser_destroy (kms_response_parser_t *parser); - -#ifdef __cplusplus -} /* extern "C" */ -#endif - -#endif /* KMS_RESPONSE_PARSER_H */ diff --git a/src/third_party/kms-message/src/kms_message_private.h b/src/third_party/kms-message/src/kms_message_private.h deleted file mode 100644 index b41b56836ae..00000000000 --- a/src/third_party/kms-message/src/kms_message_private.h +++ /dev/null @@ -1,106 +0,0 @@ -/* - * Copyright 2018-present MongoDB, Inc. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -#ifndef KMS_MESSAGE_PRIVATE_H -#define KMS_MESSAGE_PRIVATE_H - -#include <stdio.h> - -#include "kms_message/kms_message.h" -#include "kms_request_str.h" -#include "kms_kv_list.h" -#include "kms_crypto.h" - -struct _kms_request_t { - char error[512]; - bool failed; - bool finalized; - /* Begin: AWS specific */ - kms_request_str_t *region; - kms_request_str_t *service; - kms_request_str_t *access_key_id; - kms_request_str_t *secret_key; - kms_request_str_t *datetime; - kms_request_str_t *date; - /* End: AWS specific */ - kms_request_str_t *method; - kms_request_str_t *path; - kms_request_str_t *query; - kms_request_str_t *payload; - kms_kv_list_t *query_params; - kms_kv_list_t *header_fields; - /* turn off for tests only, not in public kms_request_opt_t API */ - bool auto_content_length; - _kms_crypto_t crypto; - kms_request_provider_t provider; -}; - -struct _kms_response_t { - int status; - kms_kv_list_t *headers; - kms_request_str_t *body; -}; - -typedef enum { - PARSING_STATUS_LINE, - PARSING_HEADER, - PARSING_BODY, - PARSING_CHUNK_LENGTH, - PARSING_CHUNK, - PARSING_DONE -} kms_response_parser_state_t; - -struct _kms_response_parser_t { - char error[512]; - bool failed; - kms_response_t *response; - kms_request_str_t *raw_response; - int content_length; - int start; /* start of the current thing getting parsed. */ - - /* Support two types of HTTP 1.1 responses. - * - "Content-Length: x" header is present, indicating the body length. - * - "Transfer-Encoding: chunked" header is present, indicating a stream of - * chunks. - */ - bool transfer_encoding_chunked; - int chunk_size; - kms_response_parser_state_t state; -}; - -#define CHECK_FAILED \ - do { \ - if (request->failed) { \ - return false; \ - } \ - } while (0) - -void -set_error (char *error, size_t size, const char *fmt, ...); - -#define KMS_ERROR(obj, ...) \ - do { \ - obj->failed = true; \ - set_error (obj->error, sizeof (obj->error), __VA_ARGS__); \ - } while (0) - -#define KMS_ASSERT(stmt) \ - if (!(stmt)) { \ - fprintf (stderr, "%s failed\n", #stmt); \ - abort (); \ - } - -#endif /* KMS_MESSAGE_PRIVATE_H */ diff --git a/src/third_party/kms-message/src/kms_port.c b/src/third_party/kms-message/src/kms_port.c deleted file mode 100644 index ee9e6ed9c90..00000000000 --- a/src/third_party/kms-message/src/kms_port.c +++ /dev/null @@ -1,33 +0,0 @@ -/* - * Copyright 2020-present MongoDB, Inc. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -#include "kms_port.h" -#if defined(_WIN32) -#include <stdlib.h> -#include <string.h> -char * kms_strndup (const char *src, size_t len) -{ - char *dst = (char *) malloc (len + 1); - if (!dst) { - return 0; - } - - memcpy (dst, src, len); - dst[len] = '\0'; - - return dst; -} -#endif
\ No newline at end of file diff --git a/src/third_party/kms-message/src/kms_port.h b/src/third_party/kms-message/src/kms_port.h deleted file mode 100644 index 2123a99dc95..00000000000 --- a/src/third_party/kms-message/src/kms_port.h +++ /dev/null @@ -1,32 +0,0 @@ -/* - * Copyright 2018-present MongoDB, Inc. - * - * Licensed under the Apache License, Version 2.0 (the "License"){} - * - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -#ifndef KMS_PORT_H -#define KMS_PORT_H - -#include <stddef.h> - -#if defined(_WIN32) -#define kms_strcasecmp _stricmp -char * -kms_strndup (const char *src, size_t len); -#else -#define kms_strndup strndup -#define kms_strcasecmp strcasecmp -#endif - -#endif /* KMS_PORT_H */
\ No newline at end of file diff --git a/src/third_party/kms-message/src/kms_request.c b/src/third_party/kms-message/src/kms_request.c deleted file mode 100644 index 58bfb990b7d..00000000000 --- a/src/third_party/kms-message/src/kms_request.c +++ /dev/null @@ -1,818 +0,0 @@ -/* - * Copyright 2018-present MongoDB, Inc. - * - * Licensed under the Apache License, Version 2.0 (the "License"){} - * - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -#include "kms_crypto.h" -#include "kms_message/kms_message.h" -#include "kms_message_private.h" -#include "kms_request_opt_private.h" -#include "kms_port.h" - -static kms_kv_list_t * -parse_query_params (kms_request_str_t *q) -{ - kms_kv_list_t *lst = kms_kv_list_new (); - char *p = q->str; - char *end = q->str + q->len; - char *amp, *equals; - kms_request_str_t *k, *v; - - do { - equals = strchr ((const char *) p, '='); - if (!equals) { - kms_kv_list_destroy (lst); - return NULL; - } - amp = strchr ((const char *) equals, '&'); - if (!amp) { - amp = end; - } - - k = kms_request_str_new_from_chars (p, equals - p); - v = kms_request_str_new_from_chars (equals + 1, amp - equals - 1); - kms_kv_list_add (lst, k, v); - kms_request_str_destroy (k); - kms_request_str_destroy (v); - - p = amp + 1; - } while (p < end); - - return lst; -} - -kms_request_t * -kms_request_new (const char *method, - const char *path_and_query, - const kms_request_opt_t *opt) -{ - kms_request_t *request = calloc (1, sizeof (kms_request_t)); - const char *question_mark; - - KMS_ASSERT (request); - if (opt && opt->provider) { - request->provider = opt->provider; - } else { - request->provider = KMS_REQUEST_PROVIDER_AWS; - } - /* parsing may set failed to true */ - request->failed = false; - - request->finalized = false; - request->region = kms_request_str_new (); - request->service = kms_request_str_new (); - request->access_key_id = kms_request_str_new (); - request->secret_key = kms_request_str_new (); - - question_mark = strchr (path_and_query, '?'); - if (question_mark) { - request->path = kms_request_str_new_from_chars ( - path_and_query, question_mark - path_and_query); - request->query = kms_request_str_new_from_chars (question_mark + 1, -1); - request->query_params = parse_query_params (request->query); - if (!request->query_params) { - KMS_ERROR (request, "Cannot parse query: %s", request->query->str); - } - } else { - request->path = kms_request_str_new_from_chars (path_and_query, -1); - request->query = kms_request_str_new (); - request->query_params = kms_kv_list_new (); - } - - request->payload = kms_request_str_new (); - request->date = kms_request_str_new (); - request->datetime = kms_request_str_new (); - request->method = kms_request_str_new_from_chars (method, -1); - request->header_fields = kms_kv_list_new (); - request->auto_content_length = true; - - /* For AWS KMS requests, add a X-Amz-Date header. */ - if (request->provider == KMS_REQUEST_PROVIDER_AWS && - !kms_request_set_date (request, NULL)) { - return request; - } - - if (opt && opt->connection_close) { - if (!kms_request_add_header_field (request, "Connection", "close")) { - return request; - } - } - - if (opt && opt->crypto.sha256) { - memcpy (&request->crypto, &opt->crypto, sizeof (opt->crypto)); - } else { - request->crypto.sha256 = kms_sha256; - request->crypto.sha256_hmac = kms_sha256_hmac; - } - - return request; -} - -void -kms_request_destroy (kms_request_t *request) -{ - kms_request_str_destroy (request->region); - kms_request_str_destroy (request->service); - kms_request_str_destroy (request->access_key_id); - kms_request_str_destroy (request->secret_key); - kms_request_str_destroy (request->method); - kms_request_str_destroy (request->path); - kms_request_str_destroy (request->query); - kms_request_str_destroy (request->payload); - kms_request_str_destroy (request->datetime); - kms_request_str_destroy (request->date); - kms_kv_list_destroy (request->query_params); - kms_kv_list_destroy (request->header_fields); - free (request); -} - -const char * -kms_request_get_error (kms_request_t *request) -{ - return request->failed ? request->error : NULL; -} - -#define AMZ_DT_FORMAT "YYYYmmDDTHHMMSSZ" - -bool -kms_request_set_date (kms_request_t *request, const struct tm *tm) -{ - char buf[sizeof AMZ_DT_FORMAT]; - struct tm tmp_tm; - - if (request->failed) { - return false; - } - - if (!tm) { - /* use current time */ - time_t t; - time (&t); -#ifdef _WIN32 - gmtime_s (&tmp_tm, &t); -#else - gmtime_r (&t, &tmp_tm); -#endif - tm = &tmp_tm; - } - - if (0 == strftime (buf, sizeof AMZ_DT_FORMAT, "%Y%m%dT%H%M%SZ", tm)) { - KMS_ERROR (request, "Invalid tm struct"); - return false; - } - - kms_request_str_set_chars (request->date, buf, sizeof "YYYYmmDD" - 1); - kms_request_str_set_chars (request->datetime, buf, sizeof AMZ_DT_FORMAT - 1); - kms_kv_list_del (request->header_fields, "X-Amz-Date"); - if (!kms_request_add_header_field (request, "X-Amz-Date", buf)) { - return false; - } - - return true; -} - -#undef AMZ_DT_FORMAT - -bool -kms_request_set_region (kms_request_t *request, const char *region) -{ - kms_request_str_set_chars (request->region, region, -1); - return true; -} - -bool -kms_request_set_service (kms_request_t *request, const char *service) -{ - kms_request_str_set_chars (request->service, service, -1); - return true; -} - -bool -kms_request_set_access_key_id (kms_request_t *request, const char *akid) -{ - kms_request_str_set_chars (request->access_key_id, akid, -1); - return true; -} - -bool -kms_request_set_secret_key (kms_request_t *request, const char *key) -{ - kms_request_str_set_chars (request->secret_key, key, -1); - return true; -} - -bool -kms_request_add_header_field (kms_request_t *request, - const char *field_name, - const char *value) -{ - kms_request_str_t *k, *v; - - CHECK_FAILED; - - k = kms_request_str_new_from_chars (field_name, -1); - v = kms_request_str_new_from_chars (value, -1); - kms_kv_list_add (request->header_fields, k, v); - kms_request_str_destroy (k); - kms_request_str_destroy (v); - - return true; -} - -bool -kms_request_append_header_field_value (kms_request_t *request, - const char *value, - size_t len) -{ - kms_request_str_t *v; - - CHECK_FAILED; - - if (request->header_fields->len == 0) { - KMS_ERROR ( - request, - "Ensure the request has at least one header field before calling %s", - __FUNCTION__); - } - - v = request->header_fields->kvs[request->header_fields->len - 1].value; - kms_request_str_append_chars (v, value, len); - - return true; -} - -bool -kms_request_append_payload (kms_request_t *request, - const char *payload, - size_t len) -{ - CHECK_FAILED; - - kms_request_str_append_chars (request->payload, payload, len); - - return true; -} - -/* docs.aws.amazon.com/general/latest/gr/sigv4-create-canonical-request.html - * - * "Sort the parameter names by character code point in ascending order. For - * example, a parameter name that begins with the uppercase letter F precedes a - * parameter name that begins with a lowercase letter b." - */ -static int -cmp_query_params (const void *a, const void *b) -{ - int r = strcmp (((kms_kv_t *) a)->key->str, ((kms_kv_t *) b)->key->str); - if (r != 0) { - return r; - } - - /* not in docs, but tested in get-vanilla-query-order-key: sort by value */ - return strcmp (((kms_kv_t *) a)->value->str, ((kms_kv_t *) b)->value->str); -} - -static void -append_canonical_query (kms_request_t *request, kms_request_str_t *str) -{ - size_t i; - kms_kv_list_t *lst; - - if (!request->query_params->len) { - return; - } - - lst = kms_kv_list_dup (request->query_params); - kms_kv_list_sort (lst, cmp_query_params); - - for (i = 0; i < lst->len; i++) { - kms_request_str_append_escaped (str, lst->kvs[i].key, true); - kms_request_str_append_char (str, '='); - kms_request_str_append_escaped (str, lst->kvs[i].value, true); - - if (i < lst->len - 1) { - kms_request_str_append_char (str, '&'); - } - } - - kms_kv_list_destroy (lst); -} - -/* "lst" is a sorted list of headers */ -static void -append_canonical_headers (kms_kv_list_t *lst, kms_request_str_t *str) -{ - size_t i; - kms_kv_t *kv; - const kms_request_str_t *previous_key = NULL; - - /* aws docs: "To create the canonical headers list, convert all header names - * to lowercase and remove leading spaces and trailing spaces. Convert - * sequential spaces in the header value to a single space." "Do not sort the - * values in headers that have multiple values." */ - for (i = 0; i < lst->len; i++) { - kv = &lst->kvs[i]; - if (previous_key && - 0 == kms_strcasecmp (previous_key->str, kv->key->str)) { - /* duplicate header */ - kms_request_str_append_char (str, ','); - kms_request_str_append_stripped (str, kv->value); - continue; - } - - if (i > 0) { - kms_request_str_append_newline (str); - } - - kms_request_str_append_lowercase (str, kv->key); - kms_request_str_append_char (str, ':'); - kms_request_str_append_stripped (str, kv->value); - previous_key = kv->key; - } - - kms_request_str_append_newline (str); -} - -static void -append_signed_headers (kms_kv_list_t *lst, kms_request_str_t *str) -{ - size_t i; - - kms_kv_t *kv; - const kms_request_str_t *previous_key = NULL; - - for (i = 0; i < lst->len; i++) { - kv = &lst->kvs[i]; - if (previous_key && - 0 == kms_strcasecmp (previous_key->str, kv->key->str)) { - /* duplicate header */ - continue; - } - - if (0 == kms_strcasecmp (kv->key->str, "connection")) { - continue; - } - - kms_request_str_append_lowercase (str, kv->key); - if (i < lst->len - 1) { - kms_request_str_append_char (str, ';'); - } - - previous_key = kv->key; - } -} - -static bool -finalize (kms_request_t *request) -{ - kms_kv_list_t *lst; - kms_request_str_t *k; - kms_request_str_t *v; - - if (request->failed) { - return false; - } - - if (request->finalized) { - return true; - } - - request->finalized = true; - - lst = request->header_fields; - - if (!kms_kv_list_find (lst, "Host")) { - if (request->provider != KMS_REQUEST_PROVIDER_AWS) { - KMS_ERROR (request, "Required Host header not set"); - return false; - } - /* For AWS requests, derive a default Host header from region + service. - * E.g. "kms.us-east-1.amazonaws.com" */ - k = kms_request_str_new_from_chars ("Host", -1); - v = kms_request_str_dup (request->service); - kms_request_str_append_char (v, '.'); - kms_request_str_append (v, request->region); - kms_request_str_append_chars (v, ".amazonaws.com", -1); - kms_kv_list_add (lst, k, v); - kms_request_str_destroy (k); - kms_request_str_destroy (v); - } - - if (!kms_kv_list_find (lst, "Content-Length") && request->payload->len && - request->auto_content_length) { - k = kms_request_str_new_from_chars ("Content-Length", -1); - v = kms_request_str_new (); - kms_request_str_appendf (v, "%zu", request->payload->len); - kms_kv_list_add (lst, k, v); - kms_request_str_destroy (k); - kms_request_str_destroy (v); - } - - return true; -} - -/* docs.aws.amazon.com/general/latest/gr/sigv4-create-canonical-request.html - * - * "Build the canonical headers list by sorting the (lowercase) headers by - * character code... Do not sort the values in headers that have multiple - * values." - */ -static int -cmp_header_field_names (const void *a, const void *b) -{ - return kms_strcasecmp (((kms_kv_t *) a)->key->str, - ((kms_kv_t *) b)->key->str); -} - -static kms_kv_list_t * -canonical_headers (const kms_request_t *request) -{ - kms_kv_list_t *lst; - - KMS_ASSERT (request->finalized); - lst = kms_kv_list_dup (request->header_fields); - kms_kv_list_sort (lst, cmp_header_field_names); - kms_kv_list_del (lst, "Connection"); - return lst; -} - -char * -kms_request_get_canonical (kms_request_t *request) -{ - kms_request_str_t *canonical; - kms_request_str_t *normalized; - kms_kv_list_t *lst; - - if (request->failed) { - return NULL; - } - - if (!finalize (request)) { - return NULL; - } - - canonical = kms_request_str_new (); - kms_request_str_append (canonical, request->method); - kms_request_str_append_newline (canonical); - normalized = kms_request_str_path_normalized (request->path); - kms_request_str_append_escaped (canonical, normalized, false); - kms_request_str_destroy (normalized); - kms_request_str_append_newline (canonical); - append_canonical_query (request, canonical); - kms_request_str_append_newline (canonical); - lst = canonical_headers (request); - append_canonical_headers (lst, canonical); - kms_request_str_append_newline (canonical); - append_signed_headers (lst, canonical); - kms_kv_list_destroy (lst); - kms_request_str_append_newline (canonical); - if (!kms_request_str_append_hashed ( - &request->crypto, canonical, request->payload)) { - KMS_ERROR (request, "could not generate hash"); - kms_request_str_destroy (canonical); - return NULL; - } - - return kms_request_str_detach (canonical); -} - -const char * -kms_request_get_canonical_header (kms_request_t *request, const char *header) -{ - const kms_kv_t *value; - - if (request->failed) { - return NULL; - } - - if (!finalize (request)) { - return NULL; - } - - value = kms_kv_list_find (request->header_fields, header); - if (!value) { - return NULL; - } - - return value->value->str; -} - -char * -kms_request_get_string_to_sign (kms_request_t *request) -{ - bool success = false; - kms_request_str_t *sts; - kms_request_str_t *creq = NULL; /* canonical request */ - - if (request->failed) { - return NULL; - } - - if (!finalize (request)) { - return NULL; - } - - sts = kms_request_str_new (); - kms_request_str_append_chars (sts, "AWS4-HMAC-SHA256\n", -1); - kms_request_str_append (sts, request->datetime); - kms_request_str_append_newline (sts); - - /* credential scope, like "20150830/us-east-1/service/aws4_request" */ - kms_request_str_append (sts, request->date); - kms_request_str_append_char (sts, '/'); - kms_request_str_append (sts, request->region); - kms_request_str_append_char (sts, '/'); - kms_request_str_append (sts, request->service); - kms_request_str_append_chars (sts, "/aws4_request\n", -1); - - creq = kms_request_str_wrap (kms_request_get_canonical (request), -1); - if (!creq) { - goto done; - } - - if (!kms_request_str_append_hashed (&request->crypto, sts, creq)) { - goto done; - } - - success = true; -done: - kms_request_str_destroy (creq); - if (!success) { - kms_request_str_destroy (sts); - sts = NULL; - } - - return kms_request_str_detach (sts); -} - -static bool -kms_request_hmac (_kms_crypto_t *crypto, - unsigned char *out, - kms_request_str_t *key, - kms_request_str_t *data) -{ - return crypto->sha256_hmac ( - crypto->ctx, key->str, (int) key->len, data->str, data->len, out); -} - -static bool -kms_request_hmac_again (_kms_crypto_t *crypto, - unsigned char *out, - unsigned char *in, - kms_request_str_t *data) -{ - return crypto->sha256_hmac ( - crypto->ctx, (const char *) in, 32, data->str, data->len, out); -} - -bool -kms_request_get_signing_key (kms_request_t *request, unsigned char *key) -{ - bool success = false; - kms_request_str_t *aws4_plus_secret = NULL; - kms_request_str_t *aws4_request = NULL; - unsigned char k_date[32]; - unsigned char k_region[32]; - unsigned char k_service[32]; - - if (request->failed) { - return false; - } - - /* docs.aws.amazon.com/general/latest/gr/sigv4-calculate-signature.html - * Pseudocode for deriving a signing key - * - * kSecret = your secret access key - * kDate = HMAC("AWS4" + kSecret, Date) - * kRegion = HMAC(kDate, Region) - * kService = HMAC(kRegion, Service) - * kSigning = HMAC(kService, "aws4_request") - */ - aws4_plus_secret = kms_request_str_new_from_chars ("AWS4", -1); - kms_request_str_append (aws4_plus_secret, request->secret_key); - - aws4_request = kms_request_str_new_from_chars ("aws4_request", -1); - - if (!(kms_request_hmac ( - &request->crypto, k_date, aws4_plus_secret, request->date) && - kms_request_hmac_again ( - &request->crypto, k_region, k_date, request->region) && - kms_request_hmac_again ( - &request->crypto, k_service, k_region, request->service) && - kms_request_hmac_again ( - &request->crypto, key, k_service, aws4_request))) { - goto done; - } - - success = true; -done: - kms_request_str_destroy (aws4_plus_secret); - kms_request_str_destroy (aws4_request); - - return success; -} - -char * -kms_request_get_signature (kms_request_t *request) -{ - bool success = false; - kms_kv_list_t *lst = NULL; - kms_request_str_t *sig = NULL; - kms_request_str_t *sts = NULL; - unsigned char signing_key[32]; - unsigned char signature[32]; - - if (request->failed) { - return NULL; - } - - sts = kms_request_str_wrap (kms_request_get_string_to_sign (request), -1); - if (!sts) { - goto done; - } - - sig = kms_request_str_new (); - kms_request_str_append_chars (sig, "AWS4-HMAC-SHA256 Credential=", -1); - kms_request_str_append (sig, request->access_key_id); - kms_request_str_append_char (sig, '/'); - kms_request_str_append (sig, request->date); - kms_request_str_append_char (sig, '/'); - kms_request_str_append (sig, request->region); - kms_request_str_append_char (sig, '/'); - kms_request_str_append (sig, request->service); - kms_request_str_append_chars (sig, "/aws4_request, SignedHeaders=", -1); - lst = canonical_headers (request); - append_signed_headers (lst, sig); - kms_request_str_append_chars (sig, ", Signature=", -1); - if (!(kms_request_get_signing_key (request, signing_key) && - kms_request_hmac_again ( - &request->crypto, signature, signing_key, sts))) { - goto done; - } - - kms_request_str_append_hex (sig, signature, sizeof (signature)); - success = true; -done: - kms_kv_list_destroy (lst); - kms_request_str_destroy (sts); - - if (!success) { - kms_request_str_destroy (sig); - sig = NULL; - } - - return kms_request_str_detach (sig); -} - -void -kms_request_validate (kms_request_t *request) -{ - if (0 == request->region->len) { - KMS_ERROR (request, "Region not set"); - } else if (0 == request->service->len) { - KMS_ERROR (request, "Service not set"); - } else if (0 == request->access_key_id->len) { - KMS_ERROR (request, "Access key ID not set"); - } else if (0 == request->method->len) { - KMS_ERROR (request, "Method not set"); - } else if (0 == request->path->len) { - KMS_ERROR (request, "Path not set"); - } else if (0 == request->date->len) { - KMS_ERROR (request, "Date not set"); - } else if (0 == request->secret_key->len) { - KMS_ERROR (request, "Secret key not set"); - } -} - -char * -kms_request_get_signed (kms_request_t *request) -{ - bool success = false; - kms_kv_list_t *lst = NULL; - char *signature = NULL; - kms_request_str_t *sreq = NULL; - size_t i; - - kms_request_validate (request); - if (request->failed) { - return NULL; - } - - if (!finalize (request)) { - return NULL; - } - - sreq = kms_request_str_new (); - /* like "POST / HTTP/1.1" */ - kms_request_str_append (sreq, request->method); - kms_request_str_append_char (sreq, ' '); - kms_request_str_append (sreq, request->path); - if (request->query->len) { - kms_request_str_append_char (sreq, '?'); - kms_request_str_append (sreq, request->query); - } - - kms_request_str_append_chars (sreq, " HTTP/1.1", -1); - kms_request_str_append_newline (sreq); - - /* headers */ - lst = kms_kv_list_dup (request->header_fields); - kms_kv_list_sort (lst, cmp_header_field_names); - for (i = 0; i < lst->len; i++) { - kms_request_str_append (sreq, lst->kvs[i].key); - kms_request_str_append_char (sreq, ':'); - kms_request_str_append (sreq, lst->kvs[i].value); - kms_request_str_append_newline (sreq); - } - - /* authorization header */ - signature = kms_request_get_signature (request); - if (!signature) { - goto done; - } - - /* note space after ':', to match test .sreq files */ - kms_request_str_append_chars (sreq, "Authorization: ", -1); - kms_request_str_append_chars (sreq, signature, -1); - - /* body */ - if (request->payload->len) { - kms_request_str_append_newline (sreq); - kms_request_str_append_newline (sreq); - kms_request_str_append (sreq, request->payload); - } - - success = true; -done: - free (signature); - kms_kv_list_destroy (lst); - - if (!success) { - kms_request_str_destroy (sreq); - sreq = NULL; - } - - return kms_request_str_detach (sreq); -} - -char * -kms_request_to_string (kms_request_t *request) -{ - kms_kv_list_t *lst = NULL; - kms_request_str_t *sreq = NULL; - size_t i; - - if (!finalize (request)) { - return false; - } - - sreq = kms_request_str_new (); - /* like "POST / HTTP/1.1" */ - kms_request_str_append (sreq, request->method); - kms_request_str_append_char (sreq, ' '); - kms_request_str_append (sreq, request->path); - if (request->query->len) { - kms_request_str_append_char (sreq, '?'); - kms_request_str_append (sreq, request->query); - } - - kms_request_str_append_chars (sreq, " HTTP/1.1", -1); - kms_request_str_append_newline (sreq); - - /* headers */ - lst = kms_kv_list_dup (request->header_fields); - kms_kv_list_sort (lst, cmp_header_field_names); - for (i = 0; i < lst->len; i++) { - kms_request_str_append (sreq, lst->kvs[i].key); - kms_request_str_append_char (sreq, ':'); - kms_request_str_append (sreq, lst->kvs[i].value); - kms_request_str_append_newline (sreq); - } - - kms_request_str_append_newline (sreq); - - /* body */ - if (request->payload->len) { - kms_request_str_append (sreq, request->payload); - } - - kms_kv_list_destroy (lst); - return kms_request_str_detach (sreq); -} - -void -kms_request_free_string (char *ptr) -{ - free (ptr); -} diff --git a/src/third_party/kms-message/src/kms_request_opt.c b/src/third_party/kms-message/src/kms_request_opt.c deleted file mode 100644 index b0a184fad7a..00000000000 --- a/src/third_party/kms-message/src/kms_request_opt.c +++ /dev/null @@ -1,87 +0,0 @@ -/* - * Copyright 2018-present MongoDB, Inc. - * - * Licensed under the Apache License, Version 2.0 (the "License"){} - * - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -#include "kms_request_opt_private.h" - -#include <stdlib.h> - -kms_request_opt_t * -kms_request_opt_new (void) -{ - return calloc (1, sizeof (kms_request_opt_t)); -} - -void -kms_request_opt_destroy (kms_request_opt_t *request) -{ - free (request); -} - -void -kms_request_opt_set_connection_close (kms_request_opt_t *opt, - bool connection_close) -{ - opt->connection_close = connection_close; -} - - -void -kms_request_opt_set_crypto_hooks (kms_request_opt_t *opt, - bool (*sha256) (void *ctx, - const char *input, - size_t len, - unsigned char *hash_out), - bool (*sha256_hmac) (void *ctx, - const char *key_input, - size_t key_len, - const char *input, - size_t len, - unsigned char *hash_out), - void *ctx) -{ - opt->crypto.sha256 = sha256; - opt->crypto.sha256_hmac = sha256_hmac; - opt->crypto.ctx = ctx; -} - -bool -kms_request_opt_set_provider (kms_request_opt_t *opt, - kms_request_provider_t provider) -{ - if (provider != KMS_REQUEST_PROVIDER_AWS && - provider != KMS_REQUEST_PROVIDER_AZURE && - provider != KMS_REQUEST_PROVIDER_GCP) { - return false; - } - opt->provider = provider; - return true; -} - -void -kms_request_opt_set_crypto_hook_sign_rsaes_pkcs1_v1_5 ( - kms_request_opt_t *opt, - bool (*sign_rsaes_pkcs1_v1_5) (void *sign_ctx, - const char *private_key, - size_t private_key_len, - const char *input, - size_t input_len, - unsigned char *signature_out), - void *sign_ctx) -{ - opt->crypto.sign_rsaes_pkcs1_v1_5 = sign_rsaes_pkcs1_v1_5; - opt->crypto.sign_ctx = sign_ctx; -}
\ No newline at end of file diff --git a/src/third_party/kms-message/src/kms_request_opt_private.h b/src/third_party/kms-message/src/kms_request_opt_private.h deleted file mode 100644 index 8c25bdf2801..00000000000 --- a/src/third_party/kms-message/src/kms_request_opt_private.h +++ /dev/null @@ -1,32 +0,0 @@ -/* - * Copyright 2018-present MongoDB, Inc. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -#ifndef KMS_REQUEST_OPT_PRIVATE_H -#define KMS_REQUEST_OPT_PRIVATE_H - -#include "kms_message/kms_message_defines.h" -#include "kms_message/kms_request_opt.h" -#include "kms_crypto.h" - -#include <stdbool.h> - -struct _kms_request_opt_t { - bool connection_close; - _kms_crypto_t crypto; - kms_request_provider_t provider; -}; - -#endif /* KMS_REQUEST_OPT_PRIVATE_H */ diff --git a/src/third_party/kms-message/src/kms_request_str.c b/src/third_party/kms-message/src/kms_request_str.c deleted file mode 100644 index 65207d2f4fa..00000000000 --- a/src/third_party/kms-message/src/kms_request_str.c +++ /dev/null @@ -1,514 +0,0 @@ -/* - * Copyright 2018-present MongoDB, Inc. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -#include "hexlify.h" -#include "kms_crypto.h" -#include "kms_message/kms_message.h" -#include "kms_message_private.h" -#include "kms_request_str.h" -#include "kms_port.h" - -#include <stdio.h> -#include <ctype.h> -#include <stdbool.h> -#include <stdlib.h> - -bool rfc_3986_tab[256] = {0}; -bool kms_initialized = false; - -static void -tables_init () -{ - int i; - - if (kms_initialized) { - return; - } - - for (i = 0; i < 256; ++i) { - rfc_3986_tab[i] = - isalnum (i) || i == '~' || i == '-' || i == '.' || i == '_'; - } - - kms_initialized = true; -} - - -kms_request_str_t * -kms_request_str_new (void) -{ - kms_request_str_t *s = malloc (sizeof (kms_request_str_t)); - KMS_ASSERT (s); - - s->len = 0; - s->size = 16; - s->str = malloc (s->size); - KMS_ASSERT (s->str); - - s->str[0] = '\0'; - - return s; -} - -kms_request_str_t * -kms_request_str_new_from_chars (const char *chars, ssize_t len) -{ - kms_request_str_t *s = malloc (sizeof (kms_request_str_t)); - KMS_ASSERT (s); - - size_t actual_len; - - actual_len = len < 0 ? strlen (chars) : (size_t) len; - s->size = actual_len + 1; - s->str = malloc (s->size); - KMS_ASSERT (s->str); - - memcpy (s->str, chars, actual_len); - s->str[actual_len] = '\0'; - s->len = actual_len; - - return s; -} - -kms_request_str_t * -kms_request_str_wrap (char *chars, ssize_t len) -{ - kms_request_str_t *s; - - if (!chars) { - return NULL; - } - - s = malloc (sizeof (kms_request_str_t)); - KMS_ASSERT (s); - - - s->str = chars; - s->len = len < 0 ? strlen (chars) : (size_t) len; - s->size = s->len; - - return s; -} - -void -kms_request_str_destroy (kms_request_str_t *str) -{ - if (!str) { - return; - } - - free (str->str); - free (str); -} - -char * -kms_request_str_detach (kms_request_str_t *str) -{ - if (!str) { - return NULL; - } - char *r = str->str; - free (str); - return r; -} - -const char * -kms_request_str_get (kms_request_str_t *str) -{ - return str->str; -} - -bool -kms_request_str_reserve (kms_request_str_t *str, size_t size) -{ - size_t next_size = str->len + size + 1; - - if (str->size < next_size) { - /* next power of 2 */ - --next_size; - next_size |= next_size >> 1U; - next_size |= next_size >> 2U; - next_size |= next_size >> 4U; - next_size |= next_size >> 8U; - next_size |= next_size >> 16U; - ++next_size; - - str->size = next_size; - str->str = realloc (str->str, next_size); - } - - return str->str != NULL; -} - -kms_request_str_t * -kms_request_str_dup (kms_request_str_t *str) -{ - kms_request_str_t *dup = malloc (sizeof (kms_request_str_t)); - KMS_ASSERT (dup); - - - dup->str = kms_strndup (str->str, str->len); - dup->len = str->len; - dup->size = str->len + 1; - - return dup; -} - -void -kms_request_str_set_chars (kms_request_str_t *str, - const char *chars, - ssize_t len) -{ - size_t actual_len = len < 0 ? strlen (chars) : (size_t) len; - kms_request_str_reserve (str, actual_len); /* adds 1 for nil */ - memcpy (str->str, chars, actual_len + 1); - str->len = actual_len; -} - -bool -kms_request_str_ends_with (kms_request_str_t *str, kms_request_str_t *suffix) -{ - if (str->len >= suffix->len && - 0 == strncmp ( - &str->str[str->len - suffix->len], suffix->str, suffix->len)) { - return true; - } - - return false; -} - -void -kms_request_str_append (kms_request_str_t *str, kms_request_str_t *appended) -{ - size_t next_len = str->len + appended->len; - - kms_request_str_reserve (str, next_len); - memcpy (str->str + str->len, appended->str, appended->len); - str->len += appended->len; - str->str[str->len] = '\0'; -} - -void -kms_request_str_append_char (kms_request_str_t *str, char c) -{ - kms_request_str_reserve (str, 1); - *(str->str + str->len) = c; - ++str->len; - str->str[str->len] = '\0'; -} - - -void -kms_request_str_append_chars (kms_request_str_t *str, - const char *appended, - ssize_t len) -{ - if (len < 0) { - len = strlen (appended); - } - kms_request_str_reserve (str, (size_t) len); - memcpy (str->str + str->len, appended, (size_t) len); - str->len += len; - str->str[str->len] = '\0'; -} - -void -kms_request_str_append_newline (kms_request_str_t *str) -{ - kms_request_str_append_char (str, '\n'); -} - -void -kms_request_str_append_lowercase (kms_request_str_t *str, - kms_request_str_t *appended) -{ - size_t i; - char *p; - - i = str->len; - kms_request_str_append (str, appended); - - /* downcase the chars from the old end to the new end of str */ - for (; i < str->len; ++i) { - p = &str->str[i]; - /* ignore UTF-8 non-ASCII chars, which have 1 in the top bit */ - if ((*p & (0x1U << 7U)) == 0) { - *p = (char) tolower (*p); - } - } -} - -void -kms_request_str_appendf (kms_request_str_t *str, const char *format, ...) -{ - va_list args; - size_t remaining; - int n; - - KMS_ASSERT (format); - - while (true) { - remaining = str->size - str->len; - - va_start (args, format); - n = vsnprintf (&str->str[str->len], remaining, format, args); - va_end (args); - - if (n > -1 && (size_t) n < remaining) { - /* success */ - str->len += (size_t) n; - return; - } - - if (n > -1) { - kms_request_str_reserve (str, (size_t) n); - } else { - /* TODO: error! */ - abort (); - } - } -} - -void -kms_request_str_append_escaped (kms_request_str_t *str, - kms_request_str_t *appended, - bool escape_slash) -{ - uint8_t *in; - uint8_t *out; - size_t i; - - tables_init (); - - /* might replace each input char with 3 output chars: "%AB" */ - kms_request_str_reserve (str, 3 * appended->len); - in = (uint8_t *) appended->str; - out = (uint8_t *) str->str + str->len; - - for (i = 0; i < appended->len; ++i) { - if (rfc_3986_tab[*in] || (*in == '/' && !escape_slash)) { - *out = *in; - ++out; - ++str->len; - } else { - sprintf ((char *) out, "%%%02X", *in); - out += 3; - str->len += 3; - } - - ++in; - } -} - -void -kms_request_str_append_stripped (kms_request_str_t *str, - kms_request_str_t *appended) -{ - const char *src = appended->str; - const char *end = appended->str + appended->len; - bool space = false; - bool comma = false; - - kms_request_str_reserve (str, appended->len); - - // msvcrt is unhappy when it gets non-ANSI characters in isspace - while (*src >= 0 && isspace (*src)) { - ++src; - } - - while (src < end) { - /* replace newlines with commas. not documented but see - * get-header-value-multiline.creq */ - if (*src == '\n') { - comma = true; - space = false; - } else if (*src >= 0 && isspace (*src)) { - space = true; - } else { - if (comma) { - kms_request_str_append_char (str, ','); - comma = false; - space = false; - } - - /* is there a run of spaces waiting to be written as one space? */ - if (space) { - kms_request_str_append_char (str, ' '); - space = false; - } - - kms_request_str_append_char (str, *src); - } - - ++src; - } -} - -bool -kms_request_str_append_hashed (_kms_crypto_t *crypto, - kms_request_str_t *str, - kms_request_str_t *appended) -{ - uint8_t hash[32]; - char *hex_chars; - - if (!crypto->sha256 (crypto->ctx, appended->str, appended->len, hash)) { - return false; - } - - hex_chars = hexlify (hash, sizeof (hash)); - kms_request_str_append_chars (str, hex_chars, 2 * sizeof (hash)); - free (hex_chars); - - return true; -} - -bool -kms_request_str_append_hex (kms_request_str_t *str, - unsigned char *data, - size_t len) -{ - char *hex_chars; - - hex_chars = hexlify (data, len); - kms_request_str_append_chars (str, hex_chars, len * 2); - free (hex_chars); - - return true; -} - -static bool -starts_with (char *s, const char *prefix) -{ - if (strstr (s, prefix) == s) { - return true; - } - - return false; -} - -/* remove from last slash to the end, but don't remove slash from start */ -static void -delete_last_segment (kms_request_str_t *str, bool is_absolute) -{ - ssize_t i; - - if (!str->len) { - return; - } - - for (i = str->len - 1; i >= 0; --i) { - if (str->str[i] == '/') { - if (i == 0 && is_absolute) { - str->len = 1; - } else { - str->len = (size_t) i; - } - - goto done; - } - } - - /* no slashes */ - str->len = 0; - -done: - str->str[str->len] = '\0'; -} - -/* follow algorithm in https://tools.ietf.org/html/rfc3986#section-5.2.4, - * the block comments are copied from there */ -kms_request_str_t * -kms_request_str_path_normalized (kms_request_str_t *str) -{ - kms_request_str_t *slash = kms_request_str_new_from_chars ("/", 1); - kms_request_str_t *out = kms_request_str_new (); - char *in = strdup (str->str); - char *p = in; - char *end = in + str->len; - bool is_absolute = (*p == '/'); - - if (0 == strcmp (p, "/")) { - goto done; - } - - while (p < end) { - /* If the input buffer begins with a prefix of "../" or "./", - * then remove that prefix from the input buffer */ - if (starts_with (p, "../")) { - p += 3; - } else if (starts_with (p, "./")) { - p += 2; - } - /* otherwise, if the input buffer begins with a prefix of "/./" or "/.", - * where "." is a complete path segment, then replace that prefix with "/" - * in the input buffer */ - else if (starts_with (p, "/./")) { - p += 2; - } else if (0 == strcmp (p, "/.")) { - break; - } - /* otherwise, if the input buffer begins with a prefix of "/../" or "/..", - * where ".." is a complete path segment, then replace that prefix with - * "/" in the input buffer and remove the last segment and its preceding - * "/" (if any) from the output buffer */ - else if (starts_with (p, "/../")) { - p += 3; - delete_last_segment (out, is_absolute); - } else if (0 == strcmp (p, "/..")) { - delete_last_segment (out, is_absolute); - break; - } - /* otherwise, if the input buffer consists only of "." or "..", then - remove that from the input buffer */ - else if (0 == strcmp (p, ".") || 0 == strcmp (p, "..")) { - break; - } - /* otherwise, move the first path segment in the input buffer to the end - * of the output buffer, including the initial "/" character (if any) and - * any subsequent characters up to, but not including, the next "/" - * character or the end of the input buffer. */ - else { - char *next_slash = strchr (p + 1, '/'); - if (!next_slash) { - next_slash = end; - } - - /* fold repeated slashes */ - if (kms_request_str_ends_with (out, slash) && *p == '/') { - ++p; - } - - /* normalize "a/../b" as "b", not as "/b" */ - if (out->len == 0 && !is_absolute && *p == '/') { - ++p; - } - - kms_request_str_append_chars (out, p, next_slash - p); - p = next_slash; - } - } - -done: - free (in); - kms_request_str_destroy (slash); - - if (!out->len) { - kms_request_str_append_char (out, '/'); - } - - return out; -} diff --git a/src/third_party/kms-message/src/kms_request_str.h b/src/third_party/kms-message/src/kms_request_str.h deleted file mode 100644 index 4e33faa175f..00000000000 --- a/src/third_party/kms-message/src/kms_request_str.h +++ /dev/null @@ -1,89 +0,0 @@ -/* - * Copyright 2018-present MongoDB, Inc. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -#ifndef KMS_MESSAGE_KMS_REQUEST_STR_H -#define KMS_MESSAGE_KMS_REQUEST_STR_H - -#include "kms_message/kms_message.h" -#include "kms_crypto.h" - -#include <stdarg.h> -#include <stdbool.h> -#include <stdint.h> -#include <string.h> - -typedef struct { - char *str; - size_t len; - size_t size; -} kms_request_str_t; - -KMS_MSG_EXPORT (kms_request_str_t *) -kms_request_str_new (void); -KMS_MSG_EXPORT (kms_request_str_t *) -kms_request_str_new_from_chars (const char *chars, ssize_t len); -KMS_MSG_EXPORT (kms_request_str_t *) -kms_request_str_wrap (char *chars, ssize_t len); -KMS_MSG_EXPORT (void) -kms_request_str_destroy (kms_request_str_t *str); -KMS_MSG_EXPORT (char *) -kms_request_str_detach (kms_request_str_t *str); -KMS_MSG_EXPORT (bool) -kms_request_str_reserve (kms_request_str_t *str, size_t size); -KMS_MSG_EXPORT (kms_request_str_t *) -kms_request_str_dup (kms_request_str_t *str); -KMS_MSG_EXPORT (void) -kms_request_str_set_chars (kms_request_str_t *str, - const char *chars, - ssize_t len); -KMS_MSG_EXPORT (bool) -kms_request_str_ends_with (kms_request_str_t *str, kms_request_str_t *suffix); -KMS_MSG_EXPORT (void) -kms_request_str_append (kms_request_str_t *str, kms_request_str_t *appended); -KMS_MSG_EXPORT (void) -kms_request_str_append_char (kms_request_str_t *str, char c); -KMS_MSG_EXPORT (void) -kms_request_str_append_chars (kms_request_str_t *str, - const char *appended, - ssize_t len); -KMS_MSG_EXPORT (void) -kms_request_str_append_newline (kms_request_str_t *str); -KMS_MSG_EXPORT (void) -kms_request_str_append_lowercase (kms_request_str_t *str, - kms_request_str_t *appended); -KMS_MSG_EXPORT (void) -kms_request_str_appendf (kms_request_str_t *str, const char *format, ...); -KMS_MSG_EXPORT (void) -kms_request_strdupf (kms_request_str_t *str, const char *format, ...); -KMS_MSG_EXPORT (void) -kms_request_str_append_escaped (kms_request_str_t *str, - kms_request_str_t *appended, - bool escape_slash); -KMS_MSG_EXPORT (void) -kms_request_str_append_stripped (kms_request_str_t *str, - kms_request_str_t *appended); -KMS_MSG_EXPORT (bool) -kms_request_str_append_hashed (_kms_crypto_t *crypto, - kms_request_str_t *str, - kms_request_str_t *appended); -KMS_MSG_EXPORT (bool) -kms_request_str_append_hex (kms_request_str_t *str, - unsigned char *data, - size_t len); -KMS_MSG_EXPORT (kms_request_str_t *) -kms_request_str_path_normalized (kms_request_str_t *str); - -#endif // KMS_MESSAGE_KMS_REQUEST_STR_H diff --git a/src/third_party/kms-message/src/kms_response.c b/src/third_party/kms-message/src/kms_response.c deleted file mode 100644 index c90e772b14f..00000000000 --- a/src/third_party/kms-message/src/kms_response.c +++ /dev/null @@ -1,46 +0,0 @@ -/* - * Copyright 2018-present MongoDB, Inc. - * - * Licensed under the Apache License, Version 2.0 (the "License"){} - * - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -#include "kms_message/kms_message.h" -#include "kms_message_private.h" -#include "kms_request_str.h" - -void -kms_response_destroy (kms_response_t *response) -{ - if (response == NULL) { - return; - } - kms_kv_list_destroy (response->headers); - kms_request_str_destroy (response->body); - free (response); -} - -const char * -kms_response_get_body (kms_response_t *response, size_t *len) -{ - if (len) { - *len = response->body->len; - } - return response->body->str; -} - -int -kms_response_get_status (kms_response_t *response) -{ - return response->status; -}
\ No newline at end of file diff --git a/src/third_party/kms-message/src/kms_response_parser.c b/src/third_party/kms-message/src/kms_response_parser.c deleted file mode 100644 index 6f0c0487864..00000000000 --- a/src/third_party/kms-message/src/kms_response_parser.c +++ /dev/null @@ -1,373 +0,0 @@ -#include "kms_message/kms_response_parser.h" -#include "kms_message_private.h" - -#include <errno.h> -#include <limits.h> -#include <stdio.h> -#include <stdlib.h> - -#include "hexlify.h" - -/* destroys the members of parser, but not the parser itself. */ -static void -_parser_destroy (kms_response_parser_t *parser) -{ - kms_request_str_destroy (parser->raw_response); - parser->raw_response = NULL; - parser->content_length = -1; - kms_response_destroy (parser->response); - parser->response = NULL; -} - -/* initializes the members of parser. */ -static void -_parser_init (kms_response_parser_t *parser) -{ - parser->raw_response = kms_request_str_new (); - parser->content_length = -1; - parser->response = calloc (1, sizeof (kms_response_t)); - KMS_ASSERT (parser->response); - parser->response->headers = kms_kv_list_new (); - parser->state = PARSING_STATUS_LINE; - parser->start = 0; - parser->failed = false; - parser->chunk_size = 0; - parser->transfer_encoding_chunked = false; -} - -kms_response_parser_t * -kms_response_parser_new (void) -{ - kms_response_parser_t *parser = malloc (sizeof (kms_response_parser_t)); - KMS_ASSERT (parser); - - _parser_init (parser); - return parser; -} - -int -kms_response_parser_wants_bytes (kms_response_parser_t *parser, int32_t max) -{ - switch (parser->state) { - case PARSING_DONE: - return 0; - case PARSING_STATUS_LINE: - case PARSING_HEADER: - return max; - case PARSING_CHUNK_LENGTH: - return max; - case PARSING_CHUNK: - /* add 2 for trailing \r\n */ - return (parser->chunk_size + 2) - - ((int) parser->raw_response->len - parser->start); - case PARSING_BODY: - KMS_ASSERT (parser->content_length != -1); - return parser->content_length - - ((int) parser->raw_response->len - parser->start); - } - return -1; -} - -static bool -_parse_int (const char *str, int *result) -{ - char *endptr = NULL; - int64_t long_result; - - errno = 0; - long_result = strtol (str, &endptr, 10); - if (endptr == str) { - /* No digits were parsed. Consider this an error */ - return false; - } - if (endptr != NULL && *endptr != '\0') { - /* endptr points to the first invalid character. */ - return false; - } - if (errno == EINVAL || errno == ERANGE) { - return false; - } - if (long_result > INT32_MAX || long_result < INT32_MIN) { - return false; - } - *result = (int) long_result; - - return true; -} - -/* parse an int from a substring inside of a string. */ -static bool -_parse_int_from_view (const char *str, int start, int end, int *result) -{ - char *num_str = malloc (end - start + 1); - KMS_ASSERT (num_str); - - bool ret; - - strncpy (num_str, str + start, end - start); - num_str[end - start] = '\0'; - ret = _parse_int (num_str, result); - free (num_str); - return ret; -} - -static bool -_parse_hex_from_view (const char *str, int len, int *result) -{ - *result = unhexlify (str, len); - if (*result < 0) { - return false; - } - return true; -} - -/* returns true if char is "linear white space". This *ignores* the folding case - * of CRLF followed by WSP. See https://stackoverflow.com/a/21072806/774658 */ -static bool -_is_lwsp (char c) -{ - return c == ' ' || c == 0x09 /* HTAB */; -} - -/* parse a header line or status line. */ -static kms_response_parser_state_t -_parse_line (kms_response_parser_t *parser, int end) -{ - int i = parser->start; - const char *raw = parser->raw_response->str; - kms_response_t *response = parser->response; - - if (parser->state == PARSING_STATUS_LINE) { - /* Status-Line = HTTP-Version SP Status-Code SP Reason-Phrase CRLF */ - int j; - int status; - - if (strncmp (raw + i, "HTTP/1.1 ", 9) != 0) { - KMS_ERROR (parser, "Could not parse HTTP-Version."); - return PARSING_DONE; - } - i += 9; - - for (j = i; j < end; j++) { - if (raw[j] == ' ') - break; - } - - if (!_parse_int_from_view (raw, i, j, &status)) { - KMS_ERROR (parser, "Could not parse Status-Code."); - return PARSING_DONE; - } - - response->status = status; - - /* ignore the Reason-Phrase. */ - return PARSING_HEADER; - } else if (parser->state == PARSING_HEADER) { - /* Treating a header as: - * message-header = field-name ":" [ field-value ] CRLF - * This is not completely correct, and does not take folding into acct. - * See https://tools.ietf.org/html/rfc822#section-3.1 - */ - int j; - kms_request_str_t *key; - kms_request_str_t *val; - - if (i == end) { - /* empty line, this signals the start of the body. */ - if (parser->transfer_encoding_chunked) { - return PARSING_CHUNK_LENGTH; - } - return PARSING_BODY; - } - - for (j = i; j < end; j++) { - if (raw[j] == ':') - break; - } - - if (j == end) { - KMS_ERROR (parser, "Could not parse header, no colon found."); - return PARSING_DONE; - } - - key = kms_request_str_new_from_chars (raw + i, j - i); - - i = j + 1; - /* remove leading and trailing whitespace from the value. */ - for (j = i; j < end; j++) { - if (!_is_lwsp (raw[j])) - break; - } - i = j; - - /* find the end of the header by backtracking. */ - for (j = end; j > i; j--) { - if (!_is_lwsp (raw[j])) - break; - } - - if (i == j) { - val = kms_request_str_new (); - } else { - val = kms_request_str_new_from_chars (raw + i, j - i); - } - - kms_kv_list_add (response->headers, key, val); - - /* if we have *not* read the Content-Length yet, check. */ - if (parser->content_length == -1 && - strcmp (key->str, "Content-Length") == 0) { - if (!_parse_int (val->str, &parser->content_length)) { - KMS_ERROR (parser, "Could not parse Content-Length header."); - kms_request_str_destroy (key); - kms_request_str_destroy (val); - return PARSING_DONE; - } - } - - if (0 == strcmp (key->str, "Transfer-Encoding")) { - if (0 == strcmp (val->str, "chunked")) { - parser->transfer_encoding_chunked = true; - } else { - KMS_ERROR (parser, "Unsupported Transfer-Encoding: %s", val->str); - kms_request_str_destroy (key); - kms_request_str_destroy (val); - return PARSING_DONE; - } - } - kms_request_str_destroy (key); - kms_request_str_destroy (val); - return PARSING_HEADER; - } else if (parser->state == PARSING_CHUNK_LENGTH) { - int result = 0; - - if (!_parse_hex_from_view (raw + i, end - i, &result)) { - KMS_ERROR (parser, "Failed to parse hex chunk length."); - return PARSING_DONE; - } - parser->chunk_size = result; - return PARSING_CHUNK; - } - return PARSING_DONE; -} - -bool -kms_response_parser_feed (kms_response_parser_t *parser, - uint8_t *buf, - uint32_t len) -{ - kms_request_str_t *raw = parser->raw_response; - int curr, body_read, chunk_read; - - curr = (int) raw->len; - kms_request_str_append_chars (raw, (char *) buf, len); - /* process the new data appended. */ - while (curr < (int) raw->len) { - switch (parser->state) { - case PARSING_STATUS_LINE: - case PARSING_HEADER: - case PARSING_CHUNK_LENGTH: - /* find the next \r\n. */ - if (curr && strncmp (raw->str + (curr - 1), "\r\n", 2) == 0) { - parser->state = _parse_line (parser, curr - 1); - parser->start = curr + 1; - } - curr++; - - if (parser->state == PARSING_BODY && parser->content_length <= 0) { - /* Ok, no Content-Length header, or explicitly 0, so empty body */ - parser->response->body = kms_request_str_new (); - parser->state = PARSING_DONE; - } - break; - case PARSING_BODY: - body_read = (int) raw->len - parser->start; - - if (parser->content_length == -1 || - body_read > parser->content_length) { - KMS_ERROR (parser, "Unexpected: exceeded content length"); - return false; - } - - /* check if we have the entire body. */ - if (body_read == parser->content_length) { - parser->response->body = kms_request_str_new_from_chars ( - raw->str + parser->start, parser->content_length); - parser->state = PARSING_DONE; - } - - curr = (int) raw->len; - break; - case PARSING_CHUNK: - chunk_read = (int) raw->len - parser->start; - /* check if we've read the full chunk and the trailing \r\n */ - if (chunk_read >= parser->chunk_size + 2) { - if (!parser->response->body) { - parser->response->body = kms_request_str_new (); - } - kms_request_str_append_chars (parser->response->body, - raw->str + parser->start, - parser->chunk_size); - curr = parser->start + parser->chunk_size + 2; - parser->start = curr; - if (parser->chunk_size == 0) { - /* last chunk. */ - parser->state = PARSING_DONE; - } else { - parser->state = PARSING_CHUNK_LENGTH; - } - } else { - curr = (int) raw->len; - } - break; - case PARSING_DONE: - KMS_ERROR (parser, "Unexpected extra HTTP content"); - return false; - } - } - - if (parser->failed) { - return false; - } - return true; -} - -/* steals the response from the parser. */ -kms_response_t * -kms_response_parser_get_response (kms_response_parser_t *parser) -{ - kms_response_t *response = parser->response; - - parser->response = NULL; - /* reset the parser. */ - _parser_destroy (parser); - _parser_init (parser); - return response; -} - -int -kms_response_parser_status (kms_response_parser_t *parser) -{ - if (!parser || !(parser->response)) { - return 0; - } - - return parser->response->status; -} - -const char * -kms_response_parser_error (kms_response_parser_t *parser) -{ - if (!parser) { - return NULL; - } - - return parser->error; -} - -void -kms_response_parser_destroy (kms_response_parser_t *parser) -{ - _parser_destroy (parser); - free (parser); -} diff --git a/src/third_party/kms-message/src/sort.c b/src/third_party/kms-message/src/sort.c deleted file mode 100644 index 91aa3f35918..00000000000 --- a/src/third_party/kms-message/src/sort.c +++ /dev/null @@ -1,74 +0,0 @@ -/* - * SPDX-License-Identifier: BSD-3-Clause - * - * Copyright (c) 1992, 1993 - * The Regents of the University of California. All rights reserved. - * - * This code is derived from software contributed to Berkeley by - * Peter McIlroy. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the University nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/** - * This code is originally from: - * https://github.com/freebsd/freebsd/blob/e7c6cef9514d3bb1f14a30a5ee871231523e43db/lib/libc/stdlib/merge.c - */ - -#include <stddef.h> - -/* - * This is to avoid out-of-bounds addresses in sorting the - * last 4 elements. - */ - -typedef int (*cmp_t) (const void *, const void *); -#define CMP(x, y) cmp (x, y) -#define swap(a, b) \ - { \ - s = b; \ - i = size; \ - do { \ - tmp = *a; \ - *a++ = *s; \ - *s++ = tmp; \ - } while (--i); \ - a -= size; \ - } - -void -insertionsort (unsigned char *a, size_t n, size_t size, cmp_t cmp) -{ - unsigned char *ai, *s, *t, *u, tmp; - size_t i; - - for (ai = a + size; --n >= 1; ai += size) - for (t = ai; t > a; t -= size) { - u = t - size; - if (CMP (u, t) <= 0) - break; - swap (u, t); - } -} diff --git a/src/third_party/kms-message/src/sort.h b/src/third_party/kms-message/src/sort.h deleted file mode 100644 index 42c1b21c7ee..00000000000 --- a/src/third_party/kms-message/src/sort.h +++ /dev/null @@ -1,21 +0,0 @@ -/* - * Copyright 2018-present MongoDB, Inc. - * - * Licensed under the Apache License, Version 2.0 (the "License"){} - * - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -typedef int (*cmp_t) (const void *, const void *); - -void -insertionsort (unsigned char *a, size_t n, size_t size, cmp_t cmp); |