move openssl crypto components to fizz/backend/openssl

Summary:
As part of the work to decouple openssl from fizz, this diff begins to move openssl related component within fizz to `fizz/backend/openssl`. It also exposes all the openssl dependencies through a single target `fizz/backend:openssl`. Eventually, everything that wants to directly use openssl functionality can depend on that target.

This commit will change everything *within* fizz to use the new `openssl::` namespace for the classes that have been moved, but external dependencies still reference the old `fizz::` namespace classes. To maintain compatibility we've added type aliases `fizz::A` to point to `fizz::openssl::A`.

Next steps:
- convert dependencies to use the new namespace
- remove the old files.

After that:
- A few components need to be moved back out of the `backend/openssl` folder. Like the AES and Sha types. We need to split the openssl info out of those types. Slightly easier to do this in a separate change.
- There are still a few things that still need to get moved behind backend/openssl, like DefaultCertificateVerifier and some operations that need to become openssl primitives and get used through the Factory rather than used directly.

Reviewed By: mingtaoy

Differential Revision: D56274868

fbshipit-source-id: 7ed7473fbe8ebe69b413d02d96a0b0fd85b0eebe

fizz/CMakeLists.txt

@@ -110,15 +110,21 @@ configure_file(fizz-config.h.in ${CMAKE_CURRENT_BINARY_DIR}/generated/fizz/fizz-
 install(FILES ${CMAKE_CURRENT_BINARY_DIR}/generated/fizz/fizz-config.h DESTINATION ${INCLUDE_INSTALL_DIR}/fizz/)
 
 set(FIZZ_HEADER_DIRS
+  backend
+  backend/openssl
+  backend/openssl/crypto
+  backend/openssl/crypto/aead
+  backend/openssl/crypto/exchange
+  backend/openssl/crypto/signature
   client
   compression
   crypto
   crypto/aead
-  crypto/exchange
-  crypto/hpke
   crypto/signature
   crypto/openssl
   experimental/crypto/exchange
+  crypto/exchange
+  crypto/hpke
   experimental/ktls
   experimental/util
   extensions/delegatedcred
@@ -172,20 +178,20 @@ set(FIZZ_SOURCES
   crypto/Utils.cpp
   crypto/exchange/HybridKeyExchange.cpp
   crypto/exchange/X25519.cpp
-  crypto/aead/OpenSSLEVPCipher.cpp
+  backend/openssl/crypto/aead/OpenSSLEVPCipher.cpp
   crypto/aead/IOBufUtil.cpp
   crypto/aead/AEGISCipher.cpp
-  crypto/signature/Signature.cpp
+  backend/openssl/crypto/signature/Signature.cpp
   crypto/Hkdf.cpp
   crypto/KeyDerivation.cpp
-  crypto/Sha256.cpp
-  crypto/Sha384.cpp
+  backend/openssl/crypto/Sha256.cpp
+  backend/openssl/crypto/Sha384.cpp
   crypto/hpke/Context.cpp
   crypto/hpke/DHKEM.cpp
   crypto/hpke/Hkdf.cpp
   crypto/hpke/Hpke.cpp
   crypto/hpke/Utils.cpp
-  crypto/openssl/OpenSSLKeyUtils.cpp
+  backend/openssl/crypto/OpenSSLKeyUtils.cpp
   record/Types.cpp
   record/RecordLayer.cpp
   record/EncryptedRecordLayer.cpp
@@ -209,8 +215,8 @@ set(FIZZ_SOURCES
   protocol/Events.cpp
   protocol/KeyScheduler.cpp
   protocol/Certificate.cpp
-  protocol/CertUtils.cpp
-  protocol/OpenSSLFactory.cpp
+  backend/openssl/certificate/CertUtils.cpp
+  backend/openssl/OpenSSLFactory.cpp
   protocol/Params.cpp
   protocol/clock/SystemClock.cpp
   protocol/ech/Decrypter.cpp
@@ -427,16 +433,16 @@ if(BUILD_TESTS)
   add_gtest(client/test/FizzClientTest.cpp FizzClientTest)
   add_gtest(compression/test/CertDecompressionManagerTest.cpp CertDecompressionManagerTest)
   add_gtest(compression/test/ZlibCertificateCompressorTest.cpp ZlibCertificateCompressorTest)
-  add_gtest(crypto/aead/test/EVPCipherTest.cpp EVPCipherTest)
+  add_gtest(backend/openssl/crypto/aead/test/EVPCipherTest.cpp EVPCipherTest)
   add_gtest(crypto/aead/test/IOBufUtilTest.cpp IOBufUtilTest)
   add_gtest(crypto/exchange/test/X25519KeyExchangeTest.cpp X25519KeyExchangeTest)
-  add_gtest(crypto/exchange/test/ECKeyExchangeTest.cpp ECKeyExchangeTest)
+  add_gtest(backend/openssl/crypto/exchange/test/ECKeyExchangeTest.cpp ECKeyExchangeTest)
   add_gtest(crypto/hpke/test/ContextTest.cpp ContextTest)
   add_gtest(crypto/hpke/test/DHKEMTest.cpp DHKEMTest)
   add_gtest(crypto/hpke/test/HpkeTest.cpp HpkeTest)
-  add_gtest(crypto/openssl/test/OpenSSLKeyUtilsTest.cpp OpenSSLKeyUtilsTest)
-  add_gtest(crypto/signature/test/RSAPSSSignatureTest.cpp RSAPSSSignatureTest)
-  add_gtest(crypto/signature/test/ECSignatureTest.cpp ECSignatureTest)
+  add_gtest(backend/openssl/crypto/test/OpenSSLKeyUtilsTest.cpp OpenSSLKeyUtilsTest)
+  add_gtest(backend/openssl/crypto/signature/test/RSAPSSSignatureTest.cpp RSAPSSSignatureTest)
+  add_gtest(backend/openssl/crypto/signature/test/ECSignatureTest.cpp ECSignatureTest)
   add_gtest(crypto/test/HkdfTest.cpp HkdfTest)
   add_gtest(crypto/test/KeyDerivationTest.cpp KeyDerivationTest)
   add_gtest(crypto/test/RandomGeneratorTest.cpp RandomGeneratorTest)

fizz/backend/openssl/OpenSSL.h

@@ -0,0 +1,36 @@
+// Copyright 2004-present Facebook. All Rights Reserved.
+
+#pragma once
+
+/*
+
+This is the backend for the openssl crypto implementations.
+Include this file to use openssl features.
+
+*/
+
+#include <fizz/fizz-config.h>
+
+#include <fizz/backend/openssl/OpenSSLFactory.h>
+#include <fizz/backend/openssl/certificate/CertUtils.h>
+#include <fizz/backend/openssl/certificate/OpenSSLPeerCertImpl.h>
+#include <fizz/backend/openssl/certificate/OpenSSLSelfCertImpl.h>
+#include <fizz/backend/openssl/crypto/ECCurve.h>
+#include <fizz/backend/openssl/crypto/OpenSSLKeyUtils.h>
+#include <fizz/backend/openssl/crypto/Sha256.h>
+#include <fizz/backend/openssl/crypto/Sha384.h>
+#include <fizz/backend/openssl/crypto/Sha512.h>
+#include <fizz/backend/openssl/crypto/aead/AESGCM128.h>
+#include <fizz/backend/openssl/crypto/aead/AESGCM256.h>
+#include <fizz/backend/openssl/crypto/aead/AESOCB128.h>
+#include <fizz/backend/openssl/crypto/aead/ChaCha20Poly1305.h>
+#include <fizz/backend/openssl/crypto/aead/OpenSSLEVPCipher.h>
+#include <fizz/backend/openssl/crypto/exchange/OpenSSLKeyExchange.h>
+#include <fizz/backend/openssl/crypto/signature/Signature.h>
+#include <folly/io/IOBuf.h>
+
+#define CREATE_FIZZ_FN_ALIAS(newname, oldname)   \
+  template <typename... Args>                    \
+  auto newname(Args&&... args) {                 \
+    return oldname(std::forward<Args>(args)...); \
+  }

fizz/protocol/OpenSSLFactory.cpp → fizz/backend/openssl/OpenSSLFactory.cpp

@@ -6,14 +6,21 @@
  *  LICENSE file in the root directory of this source tree.
  */
 
-#include <fizz/protocol/CertUtils.h>
-#include <fizz/protocol/OpenSSLFactory.h>
+#include <fizz/backend/openssl/OpenSSLFactory.h>
+#include <fizz/backend/openssl/certificate/CertUtils.h>
+#include <fizz/fizz-config.h>
+
 #if FIZZ_HAVE_OQS
 #include <fizz/crypto/exchange/HybridKeyExchange.h>
 #include <fizz/experimental/crypto/exchange/OQSKeyExchange.h>
 #endif
 
+#if FIZZ_BUILD_AEGIS
+#include <fizz/crypto/aead/AEGISCipher.h>
+#endif
+
 namespace fizz {
+namespace openssl {
 
 std::unique_ptr<KeyExchange> OpenSSLFactory::makeKeyExchange(
     NamedGroup group,
@@ -119,4 +126,5 @@ std::unique_ptr<PeerCert> OpenSSLFactory::makePeerCert(
   return CertUtils::makePeerCert(std::move(certEntry.cert_data));
 }
 
+} // namespace openssl
 } // namespace fizz

fizz/backend/openssl/OpenSSLFactory.h

@@ -0,0 +1,48 @@
+/*
+ *  Copyright (c) 2018-present, Facebook, Inc.
+ *  All rights reserved.
+ *
+ *  This source code is licensed under the BSD-style license found in the
+ *  LICENSE file in the root directory of this source tree.
+ */
+
+#pragma once
+
+#include <fizz/backend/openssl/crypto/ECCurve.h>
+#include <fizz/backend/openssl/crypto/Sha256.h>
+#include <fizz/backend/openssl/crypto/Sha384.h>
+#include <fizz/backend/openssl/crypto/Sha512.h>
+#include <fizz/backend/openssl/crypto/aead/AESGCM128.h>
+#include <fizz/backend/openssl/crypto/aead/AESGCM256.h>
+#include <fizz/backend/openssl/crypto/aead/AESOCB128.h>
+#include <fizz/backend/openssl/crypto/aead/ChaCha20Poly1305.h>
+#include <fizz/backend/openssl/crypto/aead/OpenSSLEVPCipher.h>
+#include <fizz/backend/openssl/crypto/exchange/OpenSSLKeyExchange.h>
+#include <fizz/crypto/exchange/X25519.h>
+#include <fizz/protocol/DefaultFactory.h>
+
+namespace fizz {
+class PeerCert;
+namespace openssl {
+
+class OpenSSLFactory : public DefaultFactory {
+ public:
+  [[nodiscard]] std::unique_ptr<KeyExchange> makeKeyExchange(
+      NamedGroup group,
+      KeyExchangeMode mode) const override;
+
+  [[nodiscard]] std::unique_ptr<Aead> makeAead(
+      CipherSuite cipher) const override;
+
+  std::unique_ptr<KeyDerivation> makeKeyDeriver(
+      CipherSuite cipher) const override;
+
+  std::unique_ptr<HandshakeContext> makeHandshakeContext(
+      CipherSuite cipher) const override;
+
+  [[nodiscard]] std::unique_ptr<PeerCert> makePeerCert(
+      CertificateEntry certEntry,
+      bool /*leaf*/) const override;
+};
+} // namespace openssl
+} // namespace fizz

fizz/protocol/CertUtils-inl.h → fizz/backend/openssl/certificate/CertUtils-inl.h

@@ -7,6 +7,7 @@
  */
 
 namespace fizz {
+namespace openssl {
 
 namespace detail {
 folly::Optional<std::string> getIdentityFromX509(X509* x);
@@ -37,4 +38,5 @@ inline std::vector<SignatureScheme>
 CertUtils::getSigSchemes<KeyType::ED25519>() {
   return {SignatureScheme::ed25519};
 }
+} // namespace openssl
 } // namespace fizz

fizz/protocol/CertUtils.cpp → fizz/backend/openssl/certificate/CertUtils.cpp

@@ -6,10 +6,10 @@
  *  LICENSE file in the root directory of this source tree.
  */
 
-#include <fizz/protocol/CertUtils.h>
+#include <fizz/backend/openssl/certificate/CertUtils.h>
+#include <fizz/backend/openssl/certificate/OpenSSLPeerCertImpl.h>
+#include <fizz/backend/openssl/certificate/OpenSSLSelfCertImpl.h>
 #include <fizz/protocol/Certificate.h>
-#include <fizz/protocol/OpenSSLPeerCertImpl.h>
-#include <fizz/protocol/OpenSSLSelfCertImpl.h>
 #include <folly/ssl/OpenSSLCertUtils.h>
 #include <openssl/bio.h>
 
@@ -24,6 +24,7 @@ int getCurveName(EVP_PKEY* key) {
 } // namespace
 
 namespace fizz {
+namespace openssl {
 
 namespace detail {
 
@@ -297,4 +298,5 @@ CompressedCertificate CertUtils::cloneCompressedCert(
   return ret;
 }
 
+} // namespace openssl
 } // namespace fizz

fizz/backend/openssl/certificate/CertUtils.h

@@ -0,0 +1,100 @@
+/*
+ *  Copyright (c) 2018-present, Facebook, Inc.
+ *  All rights reserved.
+ *
+ *  This source code is licensed under the BSD-style license found in the
+ *  LICENSE file in the root directory of this source tree.
+ */
+
+#pragma once
+
+#include <fizz/backend/openssl/crypto/signature/Signature.h>
+#include <fizz/compression/CertificateCompressor.h>
+#include <fizz/record/Types.h>
+#include <folly/ssl/OpenSSLPtrTypes.h>
+
+namespace fizz {
+
+class SelfCert;
+class PeerCert;
+enum class CertificateVerifyContext;
+
+namespace openssl {
+
+class CertUtils {
+ public:
+  /**
+   * Adds the appropriate context data to prepare toBeSigned for a signature
+   * scheme's signing function.
+   */
+  static Buf prepareSignData(
+      CertificateVerifyContext context,
+      folly::ByteRange toBeSigned);
+
+  static CertificateMsg getCertMessage(
+      const std::vector<folly::ssl::X509UniquePtr>& certs,
+      Buf certificateRequestContext);
+
+  template <KeyType T>
+  static std::vector<SignatureScheme> getSigSchemes();
+
+  static std::vector<SignatureScheme> getSigSchemes(KeyType type);
+
+  /**
+   * Create a PeerCert from the ASN1 encoded certData.
+   */
+  static std::unique_ptr<PeerCert> makePeerCert(Buf certData);
+
+  /**
+   * Create a PeerCert from a given X509
+   */
+  static std::unique_ptr<PeerCert> makePeerCert(folly::ssl::X509UniquePtr cert);
+
+  /**
+   * Creates a SelfCert using the supplied certificate/key file data and
+   * compressors.
+   * Throws std::runtime_error on error.
+   */
+  static std::unique_ptr<SelfCert> makeSelfCert(
+      std::string certData,
+      std::string keyData,
+      const std::vector<std::shared_ptr<CertificateCompressor>>& compressors =
+          {});
+
+  static folly::ssl::EvpPkeyUniquePtr readPrivateKeyFromBuffer(
+      std::string keyData,
+      char* password = nullptr);
+
+  /**
+   * Returns the key type for a public/private key.
+   */
+  static KeyType getKeyType(const folly::ssl::EvpPkeyUniquePtr& key);
+
+  /**
+   * Creates a SelfCert using the supplied certificate, encrypted key data,
+   * and password. Throws std::runtime_error on error.
+   */
+  static std::unique_ptr<SelfCert> makeSelfCert(
+      std::string certData,
+      std::string encryptedKeyData,
+      std::string password,
+      const std::vector<std::shared_ptr<CertificateCompressor>>& compressors =
+          {});
+
+  static std::unique_ptr<SelfCert> makeSelfCert(
+      std::vector<folly::ssl::X509UniquePtr> certs,
+      folly::ssl::EvpPkeyUniquePtr key,
+      const std::vector<std::shared_ptr<CertificateCompressor>>& compressors =
+          {});
+
+  /**
+   * Clones a compressed cert by copying the relevant fields and cloning the
+   * underlying data IOBuf.
+   */
+  static CompressedCertificate cloneCompressedCert(
+      const CompressedCertificate& src);
+};
+} // namespace openssl
+} // namespace fizz
+
+#include <fizz/backend/openssl/certificate/CertUtils-inl.h>

fizz/protocol/OpenSSLPeerCertImpl-inl.h → fizz/backend/openssl/certificate/OpenSSLPeerCertImpl-inl.h

@@ -8,11 +8,12 @@
 
 #pragma once
 
-#include <fizz/protocol/CertUtils.h>
+#include <fizz/backend/openssl/certificate/CertUtils.h>
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
 
 namespace fizz {
+namespace openssl {
 
 namespace detail {
 extern folly::Optional<std::string> getIdentityFromX509(X509* x);
@@ -118,4 +119,5 @@ folly::ssl::X509UniquePtr OpenSSLPeerCertImpl<T>::getX509() const {
   X509_up_ref(cert_.get());
   return folly::ssl::X509UniquePtr(cert_.get());
 }
+} // namespace openssl
 } // namespace fizz