Skip to content

Commit

Permalink
move openssl crypto components to fizz/backend/openssl
Browse files Browse the repository at this point in the history
Summary:
As part of the work to decouple openssl from fizz, this diff begins to move openssl related component within fizz to `fizz/backend/openssl`. It also exposes all the openssl dependencies through a single target `fizz/backend:openssl`. Eventually, everything that wants to directly use openssl functionality can depend on that target.

This commit will change everything *within* fizz to use the new `openssl::` namespace for the classes that have been moved, but external dependencies still reference the old `fizz::` namespace classes. To maintain compatibility we've added type aliases `fizz::A` to point to `fizz::openssl::A`.

Next steps:
- convert dependencies to use the new namespace
- remove the old files.

After that:
- A few components need to be moved back out of the `backend/openssl` folder. Like the AES and Sha types. We need to split the openssl info out of those types. Slightly easier to do this in a separate change.
- There are still a few things that still need to get moved behind backend/openssl, like DefaultCertificateVerifier and some operations that need to become openssl primitives and get used through the Factory rather than used directly.

Reviewed By: mingtaoy

Differential Revision: D56274868

fbshipit-source-id: 7ed7473fbe8ebe69b413d02d96a0b0fd85b0eebe
  • Loading branch information
Zale Young authored and facebook-github-bot committed Apr 26, 2024
1 parent 17a053f commit 3b2468f
Show file tree
Hide file tree
Showing 135 changed files with 3,887 additions and 1,063 deletions.
34 changes: 20 additions & 14 deletions fizz/CMakeLists.txt
Expand Up @@ -110,15 +110,21 @@ configure_file(fizz-config.h.in ${CMAKE_CURRENT_BINARY_DIR}/generated/fizz/fizz-
install(FILES ${CMAKE_CURRENT_BINARY_DIR}/generated/fizz/fizz-config.h DESTINATION ${INCLUDE_INSTALL_DIR}/fizz/)

set(FIZZ_HEADER_DIRS
backend
backend/openssl
backend/openssl/crypto
backend/openssl/crypto/aead
backend/openssl/crypto/exchange
backend/openssl/crypto/signature
client
compression
crypto
crypto/aead
crypto/exchange
crypto/hpke
crypto/signature
crypto/openssl
experimental/crypto/exchange
crypto/exchange
crypto/hpke
experimental/ktls
experimental/util
extensions/delegatedcred
Expand Down Expand Up @@ -172,20 +178,20 @@ set(FIZZ_SOURCES
crypto/Utils.cpp
crypto/exchange/HybridKeyExchange.cpp
crypto/exchange/X25519.cpp
crypto/aead/OpenSSLEVPCipher.cpp
backend/openssl/crypto/aead/OpenSSLEVPCipher.cpp
crypto/aead/IOBufUtil.cpp
crypto/aead/AEGISCipher.cpp
crypto/signature/Signature.cpp
backend/openssl/crypto/signature/Signature.cpp
crypto/Hkdf.cpp
crypto/KeyDerivation.cpp
crypto/Sha256.cpp
crypto/Sha384.cpp
backend/openssl/crypto/Sha256.cpp
backend/openssl/crypto/Sha384.cpp
crypto/hpke/Context.cpp
crypto/hpke/DHKEM.cpp
crypto/hpke/Hkdf.cpp
crypto/hpke/Hpke.cpp
crypto/hpke/Utils.cpp
crypto/openssl/OpenSSLKeyUtils.cpp
backend/openssl/crypto/OpenSSLKeyUtils.cpp
record/Types.cpp
record/RecordLayer.cpp
record/EncryptedRecordLayer.cpp
Expand All @@ -209,8 +215,8 @@ set(FIZZ_SOURCES
protocol/Events.cpp
protocol/KeyScheduler.cpp
protocol/Certificate.cpp
protocol/CertUtils.cpp
protocol/OpenSSLFactory.cpp
backend/openssl/certificate/CertUtils.cpp
backend/openssl/OpenSSLFactory.cpp
protocol/Params.cpp
protocol/clock/SystemClock.cpp
protocol/ech/Decrypter.cpp
Expand Down Expand Up @@ -427,16 +433,16 @@ if(BUILD_TESTS)
add_gtest(client/test/FizzClientTest.cpp FizzClientTest)
add_gtest(compression/test/CertDecompressionManagerTest.cpp CertDecompressionManagerTest)
add_gtest(compression/test/ZlibCertificateCompressorTest.cpp ZlibCertificateCompressorTest)
add_gtest(crypto/aead/test/EVPCipherTest.cpp EVPCipherTest)
add_gtest(backend/openssl/crypto/aead/test/EVPCipherTest.cpp EVPCipherTest)
add_gtest(crypto/aead/test/IOBufUtilTest.cpp IOBufUtilTest)
add_gtest(crypto/exchange/test/X25519KeyExchangeTest.cpp X25519KeyExchangeTest)
add_gtest(crypto/exchange/test/ECKeyExchangeTest.cpp ECKeyExchangeTest)
add_gtest(backend/openssl/crypto/exchange/test/ECKeyExchangeTest.cpp ECKeyExchangeTest)
add_gtest(crypto/hpke/test/ContextTest.cpp ContextTest)
add_gtest(crypto/hpke/test/DHKEMTest.cpp DHKEMTest)
add_gtest(crypto/hpke/test/HpkeTest.cpp HpkeTest)
add_gtest(crypto/openssl/test/OpenSSLKeyUtilsTest.cpp OpenSSLKeyUtilsTest)
add_gtest(crypto/signature/test/RSAPSSSignatureTest.cpp RSAPSSSignatureTest)
add_gtest(crypto/signature/test/ECSignatureTest.cpp ECSignatureTest)
add_gtest(backend/openssl/crypto/test/OpenSSLKeyUtilsTest.cpp OpenSSLKeyUtilsTest)
add_gtest(backend/openssl/crypto/signature/test/RSAPSSSignatureTest.cpp RSAPSSSignatureTest)
add_gtest(backend/openssl/crypto/signature/test/ECSignatureTest.cpp ECSignatureTest)
add_gtest(crypto/test/HkdfTest.cpp HkdfTest)
add_gtest(crypto/test/KeyDerivationTest.cpp KeyDerivationTest)
add_gtest(crypto/test/RandomGeneratorTest.cpp RandomGeneratorTest)
Expand Down
36 changes: 36 additions & 0 deletions fizz/backend/openssl/OpenSSL.h
@@ -0,0 +1,36 @@
// Copyright 2004-present Facebook. All Rights Reserved.

#pragma once

/*
This is the backend for the openssl crypto implementations.
Include this file to use openssl features.
*/

#include <fizz/fizz-config.h>

#include <fizz/backend/openssl/OpenSSLFactory.h>
#include <fizz/backend/openssl/certificate/CertUtils.h>
#include <fizz/backend/openssl/certificate/OpenSSLPeerCertImpl.h>
#include <fizz/backend/openssl/certificate/OpenSSLSelfCertImpl.h>
#include <fizz/backend/openssl/crypto/ECCurve.h>
#include <fizz/backend/openssl/crypto/OpenSSLKeyUtils.h>
#include <fizz/backend/openssl/crypto/Sha256.h>
#include <fizz/backend/openssl/crypto/Sha384.h>
#include <fizz/backend/openssl/crypto/Sha512.h>
#include <fizz/backend/openssl/crypto/aead/AESGCM128.h>
#include <fizz/backend/openssl/crypto/aead/AESGCM256.h>
#include <fizz/backend/openssl/crypto/aead/AESOCB128.h>
#include <fizz/backend/openssl/crypto/aead/ChaCha20Poly1305.h>
#include <fizz/backend/openssl/crypto/aead/OpenSSLEVPCipher.h>
#include <fizz/backend/openssl/crypto/exchange/OpenSSLKeyExchange.h>
#include <fizz/backend/openssl/crypto/signature/Signature.h>
#include <folly/io/IOBuf.h>

#define CREATE_FIZZ_FN_ALIAS(newname, oldname) \
template <typename... Args> \
auto newname(Args&&... args) { \
return oldname(std::forward<Args>(args)...); \
}
Expand Up @@ -6,14 +6,21 @@
* LICENSE file in the root directory of this source tree.
*/

#include <fizz/protocol/CertUtils.h>
#include <fizz/protocol/OpenSSLFactory.h>
#include <fizz/backend/openssl/OpenSSLFactory.h>
#include <fizz/backend/openssl/certificate/CertUtils.h>
#include <fizz/fizz-config.h>

#if FIZZ_HAVE_OQS
#include <fizz/crypto/exchange/HybridKeyExchange.h>
#include <fizz/experimental/crypto/exchange/OQSKeyExchange.h>
#endif

#if FIZZ_BUILD_AEGIS
#include <fizz/crypto/aead/AEGISCipher.h>
#endif

namespace fizz {
namespace openssl {

std::unique_ptr<KeyExchange> OpenSSLFactory::makeKeyExchange(
NamedGroup group,
Expand Down Expand Up @@ -119,4 +126,5 @@ std::unique_ptr<PeerCert> OpenSSLFactory::makePeerCert(
return CertUtils::makePeerCert(std::move(certEntry.cert_data));
}

} // namespace openssl
} // namespace fizz
48 changes: 48 additions & 0 deletions fizz/backend/openssl/OpenSSLFactory.h
@@ -0,0 +1,48 @@
/*
* Copyright (c) 2018-present, Facebook, Inc.
* All rights reserved.
*
* This source code is licensed under the BSD-style license found in the
* LICENSE file in the root directory of this source tree.
*/

#pragma once

#include <fizz/backend/openssl/crypto/ECCurve.h>
#include <fizz/backend/openssl/crypto/Sha256.h>
#include <fizz/backend/openssl/crypto/Sha384.h>
#include <fizz/backend/openssl/crypto/Sha512.h>
#include <fizz/backend/openssl/crypto/aead/AESGCM128.h>
#include <fizz/backend/openssl/crypto/aead/AESGCM256.h>
#include <fizz/backend/openssl/crypto/aead/AESOCB128.h>
#include <fizz/backend/openssl/crypto/aead/ChaCha20Poly1305.h>
#include <fizz/backend/openssl/crypto/aead/OpenSSLEVPCipher.h>
#include <fizz/backend/openssl/crypto/exchange/OpenSSLKeyExchange.h>
#include <fizz/crypto/exchange/X25519.h>
#include <fizz/protocol/DefaultFactory.h>

namespace fizz {
class PeerCert;
namespace openssl {

class OpenSSLFactory : public DefaultFactory {
public:
[[nodiscard]] std::unique_ptr<KeyExchange> makeKeyExchange(
NamedGroup group,
KeyExchangeMode mode) const override;

[[nodiscard]] std::unique_ptr<Aead> makeAead(
CipherSuite cipher) const override;

std::unique_ptr<KeyDerivation> makeKeyDeriver(
CipherSuite cipher) const override;

std::unique_ptr<HandshakeContext> makeHandshakeContext(
CipherSuite cipher) const override;

[[nodiscard]] std::unique_ptr<PeerCert> makePeerCert(
CertificateEntry certEntry,
bool /*leaf*/) const override;
};
} // namespace openssl
} // namespace fizz
Expand Up @@ -7,6 +7,7 @@
*/

namespace fizz {
namespace openssl {

namespace detail {
folly::Optional<std::string> getIdentityFromX509(X509* x);
Expand Down Expand Up @@ -37,4 +38,5 @@ inline std::vector<SignatureScheme>
CertUtils::getSigSchemes<KeyType::ED25519>() {
return {SignatureScheme::ed25519};
}
} // namespace openssl
} // namespace fizz
Expand Up @@ -6,10 +6,10 @@
* LICENSE file in the root directory of this source tree.
*/

#include <fizz/protocol/CertUtils.h>
#include <fizz/backend/openssl/certificate/CertUtils.h>
#include <fizz/backend/openssl/certificate/OpenSSLPeerCertImpl.h>
#include <fizz/backend/openssl/certificate/OpenSSLSelfCertImpl.h>
#include <fizz/protocol/Certificate.h>
#include <fizz/protocol/OpenSSLPeerCertImpl.h>
#include <fizz/protocol/OpenSSLSelfCertImpl.h>
#include <folly/ssl/OpenSSLCertUtils.h>
#include <openssl/bio.h>

Expand All @@ -24,6 +24,7 @@ int getCurveName(EVP_PKEY* key) {
} // namespace

namespace fizz {
namespace openssl {

namespace detail {

Expand Down Expand Up @@ -297,4 +298,5 @@ CompressedCertificate CertUtils::cloneCompressedCert(
return ret;
}

} // namespace openssl
} // namespace fizz
100 changes: 100 additions & 0 deletions fizz/backend/openssl/certificate/CertUtils.h
@@ -0,0 +1,100 @@
/*
* Copyright (c) 2018-present, Facebook, Inc.
* All rights reserved.
*
* This source code is licensed under the BSD-style license found in the
* LICENSE file in the root directory of this source tree.
*/

#pragma once

#include <fizz/backend/openssl/crypto/signature/Signature.h>
#include <fizz/compression/CertificateCompressor.h>
#include <fizz/record/Types.h>
#include <folly/ssl/OpenSSLPtrTypes.h>

namespace fizz {

class SelfCert;
class PeerCert;
enum class CertificateVerifyContext;

namespace openssl {

class CertUtils {
public:
/**
* Adds the appropriate context data to prepare toBeSigned for a signature
* scheme's signing function.
*/
static Buf prepareSignData(
CertificateVerifyContext context,
folly::ByteRange toBeSigned);

static CertificateMsg getCertMessage(
const std::vector<folly::ssl::X509UniquePtr>& certs,
Buf certificateRequestContext);

template <KeyType T>
static std::vector<SignatureScheme> getSigSchemes();

static std::vector<SignatureScheme> getSigSchemes(KeyType type);

/**
* Create a PeerCert from the ASN1 encoded certData.
*/
static std::unique_ptr<PeerCert> makePeerCert(Buf certData);

/**
* Create a PeerCert from a given X509
*/
static std::unique_ptr<PeerCert> makePeerCert(folly::ssl::X509UniquePtr cert);

/**
* Creates a SelfCert using the supplied certificate/key file data and
* compressors.
* Throws std::runtime_error on error.
*/
static std::unique_ptr<SelfCert> makeSelfCert(
std::string certData,
std::string keyData,
const std::vector<std::shared_ptr<CertificateCompressor>>& compressors =
{});

static folly::ssl::EvpPkeyUniquePtr readPrivateKeyFromBuffer(
std::string keyData,
char* password = nullptr);

/**
* Returns the key type for a public/private key.
*/
static KeyType getKeyType(const folly::ssl::EvpPkeyUniquePtr& key);

/**
* Creates a SelfCert using the supplied certificate, encrypted key data,
* and password. Throws std::runtime_error on error.
*/
static std::unique_ptr<SelfCert> makeSelfCert(
std::string certData,
std::string encryptedKeyData,
std::string password,
const std::vector<std::shared_ptr<CertificateCompressor>>& compressors =
{});

static std::unique_ptr<SelfCert> makeSelfCert(
std::vector<folly::ssl::X509UniquePtr> certs,
folly::ssl::EvpPkeyUniquePtr key,
const std::vector<std::shared_ptr<CertificateCompressor>>& compressors =
{});

/**
* Clones a compressed cert by copying the relevant fields and cloning the
* underlying data IOBuf.
*/
static CompressedCertificate cloneCompressedCert(
const CompressedCertificate& src);
};
} // namespace openssl
} // namespace fizz

#include <fizz/backend/openssl/certificate/CertUtils-inl.h>
Expand Up @@ -8,11 +8,12 @@

#pragma once

#include <fizz/protocol/CertUtils.h>
#include <fizz/backend/openssl/certificate/CertUtils.h>
#include <openssl/x509.h>
#include <openssl/x509v3.h>

namespace fizz {
namespace openssl {

namespace detail {
extern folly::Optional<std::string> getIdentityFromX509(X509* x);
Expand Down Expand Up @@ -118,4 +119,5 @@ folly::ssl::X509UniquePtr OpenSSLPeerCertImpl<T>::getX509() const {
X509_up_ref(cert_.get());
return folly::ssl::X509UniquePtr(cert_.get());
}
} // namespace openssl
} // namespace fizz

0 comments on commit 3b2468f

Please sign in to comment.