fix(NODE-XXXX): provide native crypto hooks for OpenSSL 3

Author: addaleax

addon/mongocrypt.cc

@@ -120,6 +120,7 @@ Function MongoCrypt::Init(Napi::Env env) {
          InstanceMethod("makeDataKeyContext", &MongoCrypt::MakeDataKeyContext),
          InstanceMethod("makeRewrapManyDataKeyContext", &MongoCrypt::MakeRewrapManyDataKeyContext),
          InstanceAccessor("status", &MongoCrypt::Status, nullptr),
+         InstanceAccessor("cryptoHooksProvider", &MongoCrypt::CryptoHooksProvider, nullptr),
          InstanceAccessor(
              "cryptSharedLibVersionInfo", &MongoCrypt::CryptSharedLibVersionInfo, nullptr),
          StaticValue("libmongocryptVersion", String::New(env, mongocrypt_version(nullptr)))});
@@ -201,7 +202,7 @@ static bool aes_256_generic_hook(MongoCrypt* mongoCrypt,
     return true;
 }
 
-bool MongoCrypt::setupCryptoHooks() {
+std::unique_ptr<CryptoHooks> MongoCrypt::createJSCryptoHooks() {
     auto aes_256_cbc_encrypt = [](void* ctx,
                                   mongocrypt_binary_t* key,
                                   mongocrypt_binary_t* iv,
@@ -398,26 +399,51 @@ bool MongoCrypt::setupCryptoHooks() {
         return true;
     };
 
+    return std::make_unique<CryptoHooks>(CryptoHooks {
+        "js",
+        aes_256_cbc_encrypt,
+        aes_256_cbc_decrypt,
+        random,
+        hmac_sha_512,
+        hmac_sha_256,
+        sha_256,
+        aes_256_ctr_encrypt,
+        aes_256_ctr_decrypt,
+        nullptr,
+        sign_rsa_sha256,
+        this
+    });
+}
+
+bool MongoCrypt::installCryptoHooks() {
+    const auto& hooks = *_crypto_hooks;
     if (!mongocrypt_setopt_crypto_hooks(_mongo_crypt.get(),
-                                        aes_256_cbc_encrypt,
-                                        aes_256_cbc_decrypt,
-                                        random,
-                                        hmac_sha_512,
-                                        hmac_sha_256,
-                                        sha_256,
-                                        this)) {
+                                        hooks.aes_256_cbc_encrypt,
+                                        hooks.aes_256_cbc_decrypt,
+                                        hooks.random,
+                                        hooks.hmac_sha_512,
+                                        hooks.hmac_sha_256,
+                                        hooks.sha_256,
+                                        hooks.ctx)) {
         return false;
     }
 
     // Added after `mongocrypt_setopt_crypto_hooks`, they should be treated as the same during
     // configuration
     if (!mongocrypt_setopt_crypto_hook_sign_rsaes_pkcs1_v1_5(
-            _mongo_crypt.get(), sign_rsa_sha256, this)) {
+            _mongo_crypt.get(), hooks.sign_rsa_sha256, this)) {
         return false;
     }
 
     if (!mongocrypt_setopt_aes_256_ctr(
-            _mongo_crypt.get(), aes_256_ctr_encrypt, aes_256_ctr_decrypt, this)) {
+            _mongo_crypt.get(), hooks.aes_256_ctr_encrypt, hooks.aes_256_ctr_decrypt, hooks.ctx)) {
+        return false;
+    }
+
+    if (hooks.aes_256_ecb_encrypt &&
+        !mongocrypt_setopt_aes_256_ecb(
+            _mongo_crypt.get(), hooks.aes_256_ecb_encrypt, hooks.ctx)
+        ) {
         return false;
     }
 
@@ -472,7 +498,10 @@ MongoCrypt::MongoCrypt(const CallbackInfo& info)
         }
     }
 
-    if (options.Has("cryptoCallbacks")) {
+    if (!_crypto_hooks) {
+        _crypto_hooks = opensslcrypto::createOpenSSLCryptoHooks();
+    }
+    if (!_crypto_hooks && options.Has("cryptoCallbacks")) {
         Object cryptoCallbacks = options.Get("cryptoCallbacks").ToObject();
 
         SetCallback("aes256CbcEncryptHook", cryptoCallbacks["aes256CbcEncryptHook"]);
@@ -484,10 +513,10 @@ MongoCrypt::MongoCrypt(const CallbackInfo& info)
         SetCallback("hmacSha256Hook", cryptoCallbacks["hmacSha256Hook"]);
         SetCallback("sha256Hook", cryptoCallbacks["sha256Hook"]);
         SetCallback("signRsaSha256Hook", cryptoCallbacks["signRsaSha256Hook"]);
-
-        if (!setupCryptoHooks()) {
-            throw Error::New(Env(), "unable to configure crypto hooks");
-        }
+        _crypto_hooks = createJSCryptoHooks();
+    }
+    if (_crypto_hooks && !installCryptoHooks()) {
+        throw Error::New(Env(), "unable to configure crypto hooks");
     }
 
     if (options.Has("cryptSharedLibSearchPaths")) {
@@ -535,6 +564,11 @@ Value MongoCrypt::CryptSharedLibVersionInfo(const CallbackInfo& info) {
     return ret;
 }
 
+Value MongoCrypt::CryptoHooksProvider(const CallbackInfo& info) {
+    if (!_crypto_hooks) return Env().Null();
+    return String::New(Env(), _crypto_hooks->id);
+}
+
 Value MongoCrypt::Status(const CallbackInfo& info) {
     std::unique_ptr<mongocrypt_status_t, MongoCryptStatusDeleter> status(mongocrypt_status_new());
     mongocrypt_status(_mongo_crypt.get(), status.get());

addon/mongocrypt.h

@@ -19,6 +19,21 @@ extern "C" {
 
 namespace node_mongocrypt {
 
+struct CryptoHooks {
+    const char* id;
+    mongocrypt_crypto_fn aes_256_cbc_encrypt;
+    mongocrypt_crypto_fn aes_256_cbc_decrypt;
+    mongocrypt_random_fn random;
+    mongocrypt_hmac_fn hmac_sha_512;
+    mongocrypt_hmac_fn hmac_sha_256;
+    mongocrypt_hash_fn sha_256;
+    mongocrypt_crypto_fn aes_256_ctr_encrypt;
+    mongocrypt_crypto_fn aes_256_ctr_decrypt;
+    mongocrypt_crypto_fn aes_256_ecb_encrypt;
+    mongocrypt_hmac_fn sign_rsa_sha256;
+    void* ctx;
+};
+
 struct MongoCryptBinaryDeleter {
     void operator()(mongocrypt_binary_t* binary) {
         mongocrypt_binary_destroy(binary);
@@ -37,6 +52,10 @@ struct MongoCryptContextDeleter {
     }
 };
 
+namespace opensslcrypto {
+std::unique_ptr<CryptoHooks> createOpenSSLCryptoHooks();
+}
+
 class MongoCrypt : public Napi::ObjectWrap<MongoCrypt> {
    public:
     static Napi::Function Init(Napi::Env env);
@@ -51,20 +70,23 @@ class MongoCrypt : public Napi::ObjectWrap<MongoCrypt> {
 
     Napi::Value Status(const Napi::CallbackInfo& info);
     Napi::Value CryptSharedLibVersionInfo(const Napi::CallbackInfo& info);
+    Napi::Value CryptoHooksProvider(const Napi::CallbackInfo& info);
 
    private:
     friend class Napi::ObjectWrap<MongoCrypt>;
     Napi::Function GetCallback(const char* name);
     void SetCallback(const char* name, Napi::Value fn);
 
     explicit MongoCrypt(const Napi::CallbackInfo& info);
-    bool setupCryptoHooks();
+    std::unique_ptr<CryptoHooks> createJSCryptoHooks();
+    bool installCryptoHooks();
 
     static void logHandler(mongocrypt_log_level_t level,
                            const char* message,
                            uint32_t message_len,
                            void* ctx);
 
+    std::unique_ptr<CryptoHooks> _crypto_hooks;
     std::unique_ptr<mongocrypt_t, MongoCryptDeleter> _mongo_crypt;
 };