MONGOCRYPT-811 Update encryptedTokens generation for text search (#1025)

Author: marksg07

src/mc-text-search-str-encode-private.h

@@ -35,6 +35,8 @@ typedef struct {
     mc_substring_set_t *substring_set;
     // Encoded exact string.
     _mongocrypt_buffer_t exact;
+    // Total number of tags over all the sets and the exact string.
+    uint32_t msize;
 } mc_str_encode_sets_t;
 
 // Run StrEncode with the given spec.

src/mc-text-search-str-encode.c

@@ -33,8 +33,10 @@ static mc_affix_set_t *generate_prefix_or_suffix_tree(const mc_utf8_string_with_
                                                       uint32_t unfolded_byte_len,
                                                       uint32_t lb,
                                                       uint32_t ub,
-                                                      bool is_prefix) {
+                                                      bool is_prefix,
+                                                      uint32_t *out_msize) {
     BSON_ASSERT_PARAM(base_str);
+    BSON_ASSERT_PARAM(out_msize);
     // We encrypt (unfolded string + 5 bytes of extra BSON info) with a 16-byte block cipher.
     uint32_t encrypted_len = 16 * (uint32_t)((unfolded_byte_len + OVERHEAD_BYTES + 15) / 16);
     // Max len of a string that has this encrypted len.
@@ -69,23 +71,24 @@ static mc_affix_set_t *generate_prefix_or_suffix_tree(const mc_utf8_string_with_
         n_inserted++;
     }
     BSON_ASSERT(n_inserted == set_size);
+    *out_msize += msize;
     return set;
 }
 
 static mc_affix_set_t *generate_suffix_tree(const mc_utf8_string_with_bad_char_t *base_str,
                                             uint32_t unfolded_byte_len,
-                                            const mc_FLE2SuffixInsertSpec_t *spec) {
-    BSON_ASSERT_PARAM(base_str);
+                                            const mc_FLE2SuffixInsertSpec_t *spec,
+                                            uint32_t *out_msize) {
     BSON_ASSERT_PARAM(spec);
-    return generate_prefix_or_suffix_tree(base_str, unfolded_byte_len, spec->lb, spec->ub, false);
+    return generate_prefix_or_suffix_tree(base_str, unfolded_byte_len, spec->lb, spec->ub, false, out_msize);
 }
 
 static mc_affix_set_t *generate_prefix_tree(const mc_utf8_string_with_bad_char_t *base_str,
                                             uint32_t unfolded_byte_len,
-                                            const mc_FLE2PrefixInsertSpec_t *spec) {
-    BSON_ASSERT_PARAM(base_str);
+                                            const mc_FLE2PrefixInsertSpec_t *spec,
+                                            uint32_t *out_msize) {
     BSON_ASSERT_PARAM(spec);
-    return generate_prefix_or_suffix_tree(base_str, unfolded_byte_len, spec->lb, spec->ub, true);
+    return generate_prefix_or_suffix_tree(base_str, unfolded_byte_len, spec->lb, spec->ub, true, out_msize);
 }
 
 static uint32_t calc_number_of_substrings(uint32_t strlen, uint32_t lb, uint32_t ub) {
@@ -104,9 +107,11 @@ static uint32_t calc_number_of_substrings(uint32_t strlen, uint32_t lb, uint32_t
 
 static mc_substring_set_t *generate_substring_tree(const mc_utf8_string_with_bad_char_t *base_str,
                                                    uint32_t unfolded_byte_len,
-                                                   const mc_FLE2SubstringInsertSpec_t *spec) {
+                                                   const mc_FLE2SubstringInsertSpec_t *spec,
+                                                   uint32_t *out_msize) {
     BSON_ASSERT_PARAM(base_str);
     BSON_ASSERT_PARAM(spec);
+    BSON_ASSERT_PARAM(out_msize);
     // We encrypt (unfolded string + 5 bytes of extra BSON info) with a 16-byte block cipher.
     uint32_t encrypted_len = 16 * (uint32_t)((unfolded_byte_len + OVERHEAD_BYTES + 15) / 16);
     // Max len of a string that has this encrypted len.
@@ -164,6 +169,7 @@ static mc_substring_set_t *generate_substring_tree(const mc_utf8_string_with_bad
         BSON_ASSERT(msize > n_real_substrings);
         mc_substring_set_increment_fake_string(set, msize - n_real_substrings);
     }
+    *out_msize += msize;
     return set;
 }
 
@@ -215,11 +221,13 @@ mc_str_encode_sets_t *mc_text_search_str_encode(const mc_FLE2TextSearchInsertSpe
     mc_str_encode_sets_t *sets = bson_malloc0(sizeof(mc_str_encode_sets_t));
     // Base string is the folded string plus the 0xFF character
     sets->base_string = base_string;
+    // Initialize msize at 1 for the exact string, and grow it for each encoding.
+    sets->msize = 1;
     if (spec->suffix.set) {
-        sets->suffix_set = generate_suffix_tree(sets->base_string, spec->len, &spec->suffix.value);
+        sets->suffix_set = generate_suffix_tree(sets->base_string, spec->len, &spec->suffix.value, &sets->msize);
     }
     if (spec->prefix.set) {
-        sets->prefix_set = generate_prefix_tree(sets->base_string, spec->len, &spec->prefix.value);
+        sets->prefix_set = generate_prefix_tree(sets->base_string, spec->len, &spec->prefix.value, &sets->msize);
     }
     if (spec->substr.set) {
         uint32_t unfolded_codepoint_len = mc_get_utf8_codepoint_length(spec->v, spec->len);
@@ -231,7 +239,7 @@ mc_str_encode_sets_t *mc_text_search_str_encode(const mc_FLE2TextSearchInsertSpe
             mc_str_encode_sets_destroy(sets);
             return NULL;
         }
-        sets->substring_set = generate_substring_tree(sets->base_string, spec->len, &spec->substr.value);
+        sets->substring_set = generate_substring_tree(sets->base_string, spec->len, &spec->substr.value, &sets->msize);
     }
     // Exact string is always equal to the base string up until the bad character
     _mongocrypt_buffer_from_data(&sets->exact, sets->base_string->buf.data, (uint32_t)sets->base_string->buf.len - 1);

src/mongocrypt-marking.c

@@ -512,14 +512,21 @@ static bool _fle2_placeholder_aes_aead_encrypt(_mongocrypt_key_broker_t *kb,
 //                            ECCDerivedFromDataTokenAndContentionFactor)
 // FLE V2: p := EncryptCTR(ECOCToken, ESCDerivedFromDataTokenAndContentionFactor)
 // Range V2: p := EncryptCTR(ECOCToken, ESCDerivedFromDataTokenAndContentionFactor || isLeaf)
+// Text search: p := EncryptCTR(ECOCToken, ESCDerivedFromDataTokenAndContentionFactor || msize)
+struct encrypted_token_metadata {
+    mc_optional_bool_t is_leaf; // isLeaf for Range V2, none for all other cases
+    mc_optional_uint32_t msize; // msize for text search, none for all other cases
+};
+
 static bool _fle2_derive_encrypted_token(_mongocrypt_crypto_t *crypto,
                                          _mongocrypt_buffer_t *out,
-                                         bool concatentate_leaf,
                                          const mc_CollectionsLevel1Token_t *collectionsLevel1Token,
                                          const _mongocrypt_buffer_t *escDerivedToken,
                                          const _mongocrypt_buffer_t *eccDerivedToken,
-                                         mc_optional_bool_t is_leaf,
+                                         struct encrypted_token_metadata token_metadata,
                                          mongocrypt_status_t *status) {
+    // isLeaf and msize should never both be set.
+    BSON_ASSERT(!token_metadata.is_leaf.set || !token_metadata.msize.set);
     mc_ECOCToken_t *ecocToken = mc_ECOCToken_new(crypto, collectionsLevel1Token, status);
     if (!ecocToken) {
         return false;
@@ -531,10 +538,10 @@ static bool _fle2_derive_encrypted_token(_mongocrypt_crypto_t *crypto,
     const _mongocrypt_buffer_t *p = &tmp;
     if (!eccDerivedToken) {
         // FLE2v2
-        if (concatentate_leaf && is_leaf.set) {
+        if (token_metadata.is_leaf.set) {
             // Range V2; concat isLeaf
             _mongocrypt_buffer_t isLeafBuf;
-            if (!_mongocrypt_buffer_copy_from_data_and_size(&isLeafBuf, (uint8_t[]){is_leaf.value}, 1)) {
+            if (!_mongocrypt_buffer_copy_from_data_and_size(&isLeafBuf, (uint8_t[]){token_metadata.is_leaf.value}, 1)) {
                 CLIENT_ERR("failed to create is_leaf buffer");
                 goto fail;
             }
@@ -544,6 +551,21 @@ static bool _fle2_derive_encrypted_token(_mongocrypt_crypto_t *crypto,
                 goto fail;
             }
             _mongocrypt_buffer_cleanup(&isLeafBuf);
+        } else if (token_metadata.msize.set) {
+            // Text search; concat msize
+            _mongocrypt_buffer_t msizeBuf;
+            // msize is a 3-byte value, so copy the 3 least significant bytes into the buffer in little-endian order.
+            uint32_t le_msize = BSON_UINT32_TO_LE(token_metadata.msize.value);
+            if (!_mongocrypt_buffer_copy_from_data_and_size(&msizeBuf, (uint8_t *)&le_msize, 3)) {
+                CLIENT_ERR("failed to create msize buffer");
+                goto fail;
+            }
+            if (!_mongocrypt_buffer_concat(&tmp, (_mongocrypt_buffer_t[]){*escDerivedToken, msizeBuf}, 2)) {
+                CLIENT_ERR("failed to allocate buffer");
+                _mongocrypt_buffer_cleanup(&msizeBuf);
+                goto fail;
+            }
+            _mongocrypt_buffer_cleanup(&msizeBuf);
         } else {
             p = escDerivedToken;
         }
@@ -753,16 +775,23 @@ static bool _mongocrypt_fle2_placeholder_to_insert_update_common(_mongocrypt_key
 
     // p := EncryptCTR(ECOCToken, ESCDerivedFromDataTokenAndContentionFactor)
     // Or in Range V2, when using range: p := EncryptCTR(ECOCToken, ESCDerivedFromDataTokenAndContentionFactor || 0x00)
-    if (!_fle2_derive_encrypted_token(
-            crypto,
-            &out->encryptedTokens,
-            true,
-            common->collectionsLevel1Token,
-            &out->escDerivedToken,
-            NULL, // unused in v2
-            // If this is a range insert, we append isLeaf to the encryptedTokens. Otherwise, we don't.
-            placeholder->algorithm == MONGOCRYPT_FLE2_ALGORITHM_RANGE ? OPT_BOOL(false) : (mc_optional_bool_t){0},
-            status)) {
+    // Or in Text Search, when using msize: p := EncryptCTR(ECOCToken, ESCDerivedFromDataTokenAndContentionFactor ||
+    // 0x000000)
+    struct encrypted_token_metadata et_meta = {{0}};
+    if (placeholder->algorithm == MONGOCRYPT_FLE2_ALGORITHM_RANGE) {
+        // For range, we append isLeaf to the encryptedTokens.
+        et_meta.is_leaf = OPT_BOOL(false);
+    } else if (placeholder->algorithm == MONGOCRYPT_FLE2_ALGORITHM_TEXT_SEARCH) {
+        // For text search, we append msize to the encryptedTokens.
+        et_meta.msize = OPT_U32(0);
+    }
+    if (!_fle2_derive_encrypted_token(crypto,
+                                      &out->encryptedTokens,
+                                      common->collectionsLevel1Token,
+                                      &out->escDerivedToken,
+                                      NULL, // unused in v2
+                                      et_meta,
+                                      status)) {
         goto fail;
     }
 
@@ -1021,11 +1050,10 @@ static bool _mongocrypt_fle2_placeholder_to_insert_update_ciphertextForRange(_mo
             // Or in Range V2: p := EncryptCTR(ECOCToken, ESCDerivedFromDataTokenAndContentionFactor || isLeaf)
             if (!_fle2_derive_encrypted_token(kb->crypt->crypto,
                                               &etc.encryptedTokens,
-                                              true,
                                               edge_tokens.collectionsLevel1Token,
                                               &etc.escDerivedToken,
                                               NULL, // ecc unsed in FLE2v2
-                                              OPT_BOOL(is_leaf),
+                                              (struct encrypted_token_metadata){.is_leaf = OPT_BOOL(is_leaf)},
                                               status)) {
                 goto fail_loop;
             }
@@ -1087,6 +1115,7 @@ static bool _mongocrypt_fle2_placeholder_to_insert_update_ciphertextForRange(_mo
                                                     mc_Text##Type##TokenSet_t *out,                                    \
                                                     const _mongocrypt_buffer_t *value,                                 \
                                                     int64_t contentionFactor,                                          \
+                                                    uint32_t msize,                                                    \
                                                     const mc_CollectionsLevel1Token_t *collLevel1Token,                \
                                                     const mc_ServerTokenDerivationLevel1Token_t *serverLevel1Token,    \
                                                     mongocrypt_status_t *status) {                                     \
@@ -1124,11 +1153,10 @@ static bool _mongocrypt_fle2_placeholder_to_insert_update_ciphertextForRange(_mo
         }                                                                                                              \
         if (!_fle2_derive_encrypted_token(kb->crypt->crypto,                                                           \
                                           &out->encryptedTokens,                                                       \
-                                          false,                                                                       \
                                           collLevel1Token,                                                             \
                                           &out->escDerivedToken,                                                       \
                                           NULL,                                                                        \
-                                          (mc_optional_bool_t){0},                                                     \
+                                          (struct encrypted_token_metadata){.msize = OPT_U32(msize)},                  \
                                           status)) {                                                                   \
             return false;                                                                                              \
         }                                                                                                              \
@@ -1230,6 +1258,8 @@ static bool _fle2_generate_TextSearchTokenSets(_mongocrypt_key_broker_t *kb,
                                               &tsts->exact,
                                               &asBsonValue,
                                               contentionFactor,
+                                              // For the exact token, report total msize of the token set.
+                                              encodeSets->msize,
                                               common.collectionsLevel1Token,
                                               common.serverTokenDerivationLevel1Token,
                                               status)) {
@@ -1258,10 +1288,12 @@ static bool _fle2_generate_TextSearchTokenSets(_mongocrypt_key_broker_t *kb,
             _mongocrypt_buffer_init(&asBsonValue);
             _mongocrypt_buffer_copy_from_string_as_bson_value(&asBsonValue, substring, (int)bytelen);
 
+            // For substring, prefix, and suffix tokens, report 0 as the msize.
             if (!_fle2_generate_TextSubstringTokenSet(kb,
                                                       &tset,
                                                       &asBsonValue,
                                                       contentionFactor,
+                                                      0 /* msize */,
                                                       common.collectionsLevel1Token,
                                                       common.serverTokenDerivationLevel1Token,
                                                       status)) {
@@ -1302,6 +1334,7 @@ static bool _fle2_generate_TextSearchTokenSets(_mongocrypt_key_broker_t *kb,
                                                    &tset,
                                                    &asBsonValue,
                                                    contentionFactor,
+                                                   0 /* msize */,
                                                    common.collectionsLevel1Token,
                                                    common.serverTokenDerivationLevel1Token,
                                                    status)) {
@@ -1342,6 +1375,7 @@ static bool _fle2_generate_TextSearchTokenSets(_mongocrypt_key_broker_t *kb,
                                                    &tset,
                                                    &asBsonValue,
                                                    contentionFactor,
+                                                   0 /* msize */,
                                                    common.collectionsLevel1Token,
                                                    common.serverTokenDerivationLevel1Token,
                                                    status)) {
@@ -1543,16 +1577,15 @@ static bool _mongocrypt_fle2_placeholder_to_insert_update_ciphertextForTextSearc
     _mongocrypt_buffer_copy_to(&payload.edcDerivedToken, &payload.escDerivedToken);
     _mongocrypt_buffer_copy_to(&payload.edcDerivedToken, &payload.serverDerivedFromDataToken);
 
-    // p := EncryptCTR(ECOCToken, ESCDerivedFromDataTokenAndContentionFactor)
+    // p := EncryptCTR(ECOCToken, ESCDerivedFromDataTokenAndContentionFactor | 0x000000)
     // Since p is never used for text search, this just sets p to a bogus ciphertext of
     // the correct length.
     if (!_fle2_derive_encrypted_token(kb->crypt->crypto,
                                       &payload.encryptedTokens,
-                                      false,
                                       common.collectionsLevel1Token,
                                       &payload.escDerivedToken, // bogus
                                       NULL,                     // unused in FLE2v2
-                                      (mc_optional_bool_t){0},
+                                      (struct encrypted_token_metadata){.msize = OPT_U32(0)},
                                       status)) {
         goto fail;
     }

test/test-mc-text-search-str-encode.c

@@ -90,9 +90,12 @@ static void test_nofold_suffix_prefix_case(_mongocrypt_tester_t *tester,
         if (lb > padded_len) {
             ASSERT(sets->suffix_set == NULL);
             ASSERT(sets->prefix_set == NULL);
+            ASSERT_CMPUINT32(sets->msize, ==, 1 /* for exact string */);
             goto CONTINUE;
         }
 
+        ASSERT_CMPUINT32(sets->msize, ==, n_affixes + 1 /* for exact string */);
+
         TEST_PRINTF("Expecting: n_real_affixes: %u, n_affixes: %u, n_padding: %u\n",
                     n_real_affixes,
                     n_affixes,
@@ -263,11 +266,14 @@ static void test_nofold_substring_case(_mongocrypt_tester_t *tester,
 
     if (lb > padded_len) {
         ASSERT(sets->substring_set == NULL);
+        ASSERT_CMPUINT32(sets->msize, ==, 1 /* for exact string */);
         goto cleanup;
     } else {
         ASSERT(sets->substring_set != NULL);
     }
 
+    ASSERT_CMPUINT32(sets->msize, ==, n_substrings + 1 /* for exact string */);
+
     uint32_t n_real_substrings = calc_unique_substrings(sets->base_string, lb, ub);
     uint32_t n_padding = n_substrings - n_real_substrings;
 
@@ -1161,6 +1167,8 @@ static void _test_text_search_str_encode_multiple(_mongocrypt_tester_t *tester)
     ASSERT_CMPUINT32(sets->exact.len, ==, 9);
     ASSERT_CMPINT(0, ==, memcmp(sets->exact.data, str, 9));
 
+    ASSERT_CMPUINT32(sets->msize, ==, 1 + 3 + 5 + 3); /* exact + substring + suffix + prefix */
+
     mc_str_encode_sets_destroy(sets);
 }