// non public api
Status RocksEngine::_createIdentPrefix(StringData ident) {
uint32_t prefix = 0;
{
boost::lock_guard<boost::mutex> lk(_identPrefixMapMutex);
if (_identPrefixMap.find(ident) != _identPrefixMap.end()) {
// already exists
return Status::OK();
}
prefix = ++_maxPrefix;
_identPrefixMap[ident] = prefix;
}
BSONObjBuilder builder;
builder.append("prefix", static_cast<int32_t>(prefix));
BSONObj config = builder.obj();
auto s = _db->Put(rocksdb::WriteOptions(), kMetadataPrefix + ident.toString(),
rocksdb::Slice(config.objdata(), config.objsize()));
if (s.ok()) {
// As an optimization, add a key <prefix> to the DB
std::string encodedPrefix(encodePrefix(prefix));
s = _db->Put(rocksdb::WriteOptions(), encodedPrefix, rocksdb::Slice());
}
return rocksToMongoStatus(s);
}
Status RocksEngine::createRecordStore(OperationContext* opCtx, StringData ns, StringData ident,
const CollectionOptions& options) {
auto s = _createIdentPrefix(ident);
if (s.isOK() && NamespaceString::oplog(ns)) {
_oplogIdent = ident.toString();
// oplog needs two prefixes, so we also reserve the next one
uint64_t oplogTrackerPrefix = 0;
{
boost::lock_guard<boost::mutex> lk(_identPrefixMapMutex);
oplogTrackerPrefix = ++_maxPrefix;
}
// we also need to write out the new prefix to the database. this is just an
// optimization
std::string encodedPrefix(encodePrefix(oplogTrackerPrefix));
s = rocksToMongoStatus(
_db->Put(rocksdb::WriteOptions(), encodedPrefix, rocksdb::Slice()));
}
return s;
}
std::string RocksEngine::_getIdentPrefix(StringData ident) {
boost::mutex::scoped_lock lk(_identPrefixMapMutex);
auto prefixIter = _identPrefixMap.find(ident);
invariant(prefixIter != _identPrefixMap.end());
return encodePrefix(prefixIter->second);
}
SECStatus
_SGN_VerifyPKCS1DigestInfo(SECOidTag digestAlg,
const SECItem *digest,
const SECItem *dataRecoveredFromSignature,
PRBool unsafeAllowMissingParameters)
{
SECOidData *hashOid;
pkcs1Prefixes pp;
const pkcs1Prefix *expectedPrefix;
SECStatus rv, rv2, rv3;
if (!digest || !digest->data ||
!dataRecoveredFromSignature || !dataRecoveredFromSignature->data) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return SECFailure;
}
hashOid = SECOID_FindOIDByTag(digestAlg);
if (hashOid == NULL) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return SECFailure;
}
pp.digestLen = digest->len;
pp.prefixWithParams.data = NULL;
pp.prefixWithoutParams.data = NULL;
rv2 = encodePrefix(hashOid, pp.digestLen, &pp.prefixWithParams, PR_TRUE);
rv3 = encodePrefix(hashOid, pp.digestLen, &pp.prefixWithoutParams, PR_FALSE);
rv = SECSuccess;
if (rv2 != SECSuccess || rv3 != SECSuccess) {
rv = SECFailure;
}
if (rv == SECSuccess) {
/* We don't attempt to avoid timing attacks on these comparisons because
* signature verification is a public key operation, not a private key
* operation.
*/
if (dataRecoveredFromSignature->len ==
pp.prefixWithParams.len + pp.digestLen) {
expectedPrefix = &pp.prefixWithParams;
} else if (unsafeAllowMissingParameters &&
dataRecoveredFromSignature->len ==
pp.prefixWithoutParams.len + pp.digestLen) {
expectedPrefix = &pp.prefixWithoutParams;
} else {
PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
rv = SECFailure;
}
}
if (rv == SECSuccess) {
if (memcmp(dataRecoveredFromSignature->data, expectedPrefix->data,
expectedPrefix->len) ||
memcmp(dataRecoveredFromSignature->data + expectedPrefix->len,
digest->data, digest->len)) {
PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
rv = SECFailure;
}
}
if (pp.prefixWithParams.data) {
PORT_Free(pp.prefixWithParams.data);
}
if (pp.prefixWithoutParams.data) {
PORT_Free(pp.prefixWithoutParams.data);
}
return rv;
}
