Stop exporting OpenSSLFactory as a public dependency

Summary: This is part of the ongoing work to make fizz's use of OpenSSL an "implementation detail" and not expose it as a public dependency. This diff does a few things: - rename `Factory`->`DefaultFactory` and `IFactory`->`Factory` - Moved methods with openssl dependencies from `DefaultFactory` to `OpenSSLFactory`. - create implementation files for FizzClientContext.h and FizzServerContext.h and move openssl_factory to be a private dependency. - remove `openssl_factory` from most `exported_deps` except for some tests and any target with a class that extends OpenSSLFactory. Factory is now a pure virtual interface and so internal parts of fizz that reference Factory no longer depend on openssl. Almost no parts of fizz will exprort `OpenSSLFactory` as a public dependency. Reviewed By: mingtaoy Differential Revision: D51481217 fbshipit-source-id: 11e1785bd37ace714e9473b0d9d7c2d107e590ae
facebookincubator · Dec 14, 2023 · 9dd9a38 · 9dd9a38
1 parent 66c56c2
commit 9dd9a38
Show file tree

Hide file tree

Showing 20 changed files with 294 additions and 225 deletions.
diff --git a/fizz/CMakeLists.txt b/fizz/CMakeLists.txt
@@ -204,6 +204,7 @@ set(FIZZ_SOURCES
   record/BufAndPaddingPolicy.cpp
   server/AeadTokenCipher.cpp
   server/AeadCookieCipher.cpp
+  server/FizzServerContext.cpp
   server/ServerProtocol.cpp
   server/CertManager.cpp
   server/State.cpp
@@ -219,6 +220,7 @@ set(FIZZ_SOURCES
   protocol/Events.cpp
   protocol/KeyScheduler.cpp
   protocol/Certificate.cpp
+  protocol/OpenSSLFactory.cpp
   protocol/Params.cpp
   protocol/clock/SystemClock.cpp
   protocol/ech/Decrypter.cpp
@@ -239,6 +241,7 @@ set(FIZZ_SOURCES
   experimental/ktls/FizzKTLSCallback.cpp
   experimental/ktls/AsyncKTLSSocket.cpp
   experimental/ktls/KTLS.cpp
+  client/FizzClientContext.cpp
   client/State.cpp
   client/ClientProtocol.cpp
   client/PskSerializationUtils.cpp

diff --git a/fizz/client/FizzClientContext.cpp b/fizz/client/FizzClientContext.cpp
@@ -0,0 +1,21 @@
+/*
+ *  Copyright (c) 2018-present, Facebook, Inc.
+ *  All rights reserved.
+ *
+ *  This source code is licensed under the BSD-style license found in the
+ *  LICENSE file in the root directory of this source tree.
+ */
+
+#include "fizz/client/FizzClientContext.h"
+
+#include <fizz/protocol/OpenSSLFactory.h>
+
+namespace fizz {
+namespace client {
+
+FizzClientContext::FizzClientContext()
+    : factory_(std::make_shared<OpenSSLFactory>()),
+      clock_(std::make_shared<SystemClock>()) {}
+
+} // namespace client
+} // namespace fizz
diff --git a/fizz/client/FizzClientContext.h b/fizz/client/FizzClientContext.h
@@ -13,7 +13,6 @@
 #include <fizz/compression/CertDecompressionManager.h>
 #include <fizz/protocol/Certificate.h>
 #include <fizz/protocol/Factory.h>
-#include <fizz/protocol/OpenSSLFactory.h>
 #include <fizz/protocol/clock/SystemClock.h>
 #include <fizz/record/Types.h>
 
@@ -27,11 +26,11 @@ enum class SendKeyShare {
 
 class FizzClientContext {
  public:
-  FizzClientContext()
-      : factory_(std::make_shared<OpenSSLFactory>()),
-        clock_(std::make_shared<SystemClock>()) {}
-  FizzClientContext(std::shared_ptr<Factory> factory)
+  FizzClientContext();
+
+  explicit FizzClientContext(std::shared_ptr<Factory> factory)
       : factory_(std::move(factory)), clock_(std::make_shared<SystemClock>()) {}
+
   virtual ~FizzClientContext() = default;
 
   /**

diff --git a/fizz/client/PskSerializationUtils.h b/fizz/client/PskSerializationUtils.h
@@ -4,7 +4,6 @@
 
 #include <fizz/client/PskCache.h>
 #include <fizz/protocol/Factory.h>
-#include <fizz/protocol/OpenSSLFactory.h>
 
 namespace fizz {
 namespace client {

diff --git a/fizz/client/test/PskSerializationTest.cpp b/fizz/client/test/PskSerializationTest.cpp
@@ -7,6 +7,7 @@
  */
 #include <fizz/client/PskSerializationUtils.h>
 #include <fizz/client/test/Utilities.h>
+#include <fizz/protocol/test/Mocks.h>
 #include <folly/portability/GMock.h>
 #include <folly/portability/GTest.h>
 
@@ -20,7 +21,7 @@ class PskSerializationTest : public Test {
  public:
   void SetUp() override {
     ticketTime_ = std::chrono::system_clock::now();
-    factory_ = std::make_unique<fizz::OpenSSLFactory>();
+    factory_ = std::make_unique<fizz::test::MockFactory>();
   }
 
  protected:

diff --git a/fizz/experimental/ktls/test/AsyncFizzBaseKTLSTest.cpp b/fizz/experimental/ktls/test/AsyncFizzBaseKTLSTest.cpp
@@ -18,6 +18,7 @@
 #include <fizz/crypto/test/TestUtil.h>
 #include <fizz/experimental/ktls/AsyncFizzBaseKTLS.h>
 #include <fizz/protocol/Certificate.h>
+#include <fizz/protocol/test/Mocks.h>
 #include <fizz/server/AeadTicketCipher.h>
 #include <fizz/server/AsyncFizzServer.h>
 #include <fizz/server/CertManager.h>
@@ -228,7 +229,7 @@ makeTestServerContext() {
           fizz::test::kP256Certificate.str(), fizz::test::kP256Key.str()),
       true);
 
-  auto factory = std::make_shared<OpenSSLFactory>();
+  auto factory = std::make_shared<fizz::test::MockFactory>();
   auto certManager = std::make_shared<CertManager>();
   auto ticketCipher = std::make_shared<
       Aead128GCMTicketCipher<TicketCodec<CertificateStorage::X509>>>(

diff --git a/fizz/experimental/protocol/BatchSignatureFactory.h b/fizz/experimental/protocol/BatchSignatureFactory.h
@@ -14,8 +14,8 @@
 namespace fizz {
 
 /**
- * A decorator class for an exisiting Factory to generate PeerCert that supports
- * batch signature schemes.
+ * A decorator class for an exisiting DefaultFactory to generate PeerCert that
+ * supports batch signature schemes.
  */
 class BatchSignatureFactory : public Factory {
  public:
@@ -80,6 +80,10 @@ class BatchSignatureFactory : public Factory {
     return original_->makeTicketAgeAdd();
   }
 
+  std::unique_ptr<folly::IOBuf> makeRandomBytes(size_t count) const override {
+    return original_->makeRandomBytes(count);
+  }
+
   /**
    * Make BatchSigPeerCert instead of PeerCert.
    *
@@ -95,6 +99,10 @@ class BatchSignatureFactory : public Factory {
     return original_->makePeerCert(std::move(certEntry), leaf);
   }
 
+  std::shared_ptr<Cert> makeIdentityOnlyCert(std::string ident) const override {
+    return original_->makeIdentityOnlyCert(std::move(ident));
+  }
+
   std::string getHkdfPrefix() const override {
     return original_->getHkdfPrefix();
   }

diff --git a/fizz/protocol/DefaultFactory.h b/fizz/protocol/DefaultFactory.h
@@ -0,0 +1,75 @@
+/*
+ *  Copyright (c) 2018-present, Facebook, Inc.
+ *  All rights reserved.
+ *
+ *  This source code is licensed under the BSD-style license found in the
+ *  LICENSE file in the root directory of this source tree.
+ */
+
+#pragma once
+
+#include <fizz/protocol/Factory.h>
+
+namespace fizz {
+
+/**
+ * This class instantiates various objects to facilitate testing.
+ */
+class DefaultFactory : public Factory {
+ public:
+  [[nodiscard]] std::unique_ptr<PlaintextReadRecordLayer>
+  makePlaintextReadRecordLayer() const override {
+    return std::make_unique<PlaintextReadRecordLayer>();
+  }
+
+  [[nodiscard]] std::unique_ptr<PlaintextWriteRecordLayer>
+  makePlaintextWriteRecordLayer() const override {
+    return std::make_unique<PlaintextWriteRecordLayer>();
+  }
+
+  [[nodiscard]] std::unique_ptr<EncryptedReadRecordLayer>
+  makeEncryptedReadRecordLayer(EncryptionLevel encryptionLevel) const override {
+    return std::make_unique<EncryptedReadRecordLayer>(encryptionLevel);
+  }
+
+  [[nodiscard]] std::unique_ptr<EncryptedWriteRecordLayer>
+  makeEncryptedWriteRecordLayer(
+      EncryptionLevel encryptionLevel) const override {
+    return std::make_unique<EncryptedWriteRecordLayer>(encryptionLevel);
+  }
+
+  [[nodiscard]] std::unique_ptr<KeyScheduler> makeKeyScheduler(
+      CipherSuite cipher) const override {
+    auto keyDer = makeKeyDeriver(cipher);
+    return std::make_unique<KeyScheduler>(std::move(keyDer));
+  }
+
+  [[nodiscard]] Random makeRandom() const override {
+    return RandomGenerator<Random().size()>().generateRandom();
+  }
+
+  [[nodiscard]] uint32_t makeTicketAgeAdd() const override {
+    return RandomNumGenerator<uint32_t>().generateRandom();
+  }
+
+  [[nodiscard]] std::unique_ptr<folly::IOBuf> makeRandomBytes(
+      size_t count) const override {
+    return RandomBufGenerator(count).generateRandom();
+  }
+
+  [[nodiscard]] std::shared_ptr<PeerCert> makePeerCert(
+      CertificateEntry certEntry,
+      bool /*leaf*/) const override {
+    return CertUtils::makePeerCert(std::move(certEntry.cert_data));
+  }
+
+  [[nodiscard]] std::shared_ptr<Cert> makeIdentityOnlyCert(
+      std::string ident) const override {
+    return std::make_shared<IdentityCert>(std::move(ident));
+  }
+
+  [[nodiscard]] std::string getHkdfPrefix() const override {
+    return kHkdfLabelPrefix.str();
+  }
+};
+} // namespace fizz
diff --git a/fizz/protocol/Factory.h b/fizz/protocol/Factory.h
@@ -8,133 +8,77 @@
 
 #pragma once
 
-#include <fizz/fizz-config.h>
-#if FIZZ_BUILD_AEGIS
-#include <fizz/crypto/aead/AEGISCipher.h>
-#endif
+#include <memory>
+#include <string>
 
+#include <fizz/crypto/KeyDerivation.h>
 #include <fizz/crypto/RandomGenerator.h>
-#include <fizz/crypto/aead/AESGCM128.h>
-#include <fizz/crypto/aead/AESGCM256.h>
-#include <fizz/crypto/aead/AESOCB128.h>
-#include <fizz/crypto/aead/ChaCha20Poly1305.h>
-#include <fizz/crypto/aead/OpenSSLEVPCipher.h>
-#include <fizz/crypto/exchange/ECCurveKeyExchange.h>
+#include <fizz/crypto/aead/Aead.h>
 #include <fizz/crypto/exchange/KeyExchange.h>
-#include <fizz/crypto/exchange/X25519.h>
 #include <fizz/protocol/Certificate.h>
 #include <fizz/protocol/HandshakeContext.h>
-#include <fizz/protocol/IFactory.h>
 #include <fizz/protocol/KeyScheduler.h>
+#include <fizz/protocol/Types.h>
 #include <fizz/record/EncryptedRecordLayer.h>
 #include <fizz/record/PlaintextRecordLayer.h>
 #include <fizz/record/Types.h>
+#include <folly/io/async/AsyncTransportCertificate.h>
 
 namespace fizz {
 
+class PeerCert;
+
 /**
  * This class instantiates various objects to facilitate testing.
  */
-class Factory : public IFactory {
+class Factory {
  public:
+  enum class KeyExchangeMode { Server, Client };
+
+  virtual ~Factory() = default;
+
   virtual std::unique_ptr<PlaintextReadRecordLayer>
-  makePlaintextReadRecordLayer() const override {
-    return std::make_unique<PlaintextReadRecordLayer>();
-  }
+  makePlaintextReadRecordLayer() const = 0;
 
   virtual std::unique_ptr<PlaintextWriteRecordLayer>
-  makePlaintextWriteRecordLayer() const override {
-    return std::make_unique<PlaintextWriteRecordLayer>();
-  }
+  makePlaintextWriteRecordLayer() const = 0;
 
   virtual std::unique_ptr<EncryptedReadRecordLayer>
-  makeEncryptedReadRecordLayer(EncryptionLevel encryptionLevel) const override {
-    return std::make_unique<EncryptedReadRecordLayer>(encryptionLevel);
-  }
+  makeEncryptedReadRecordLayer(EncryptionLevel encryptionLevel) const = 0;
 
   virtual std::unique_ptr<EncryptedWriteRecordLayer>
-  makeEncryptedWriteRecordLayer(
-      EncryptionLevel encryptionLevel) const override {
-    return std::make_unique<EncryptedWriteRecordLayer>(encryptionLevel);
-  }
+  makeEncryptedWriteRecordLayer(EncryptionLevel encryptionLevel) const = 0;
 
   virtual std::unique_ptr<KeyScheduler> makeKeyScheduler(
-      CipherSuite cipher) const override {
-    auto keyDer = makeKeyDeriver(cipher);
-    return std::make_unique<KeyScheduler>(std::move(keyDer));
-  }
+      CipherSuite cipher) const = 0;
 
   virtual std::unique_ptr<KeyDerivation> makeKeyDeriver(
-      CipherSuite cipher) const override = 0;
+      CipherSuite cipher) const = 0;
 
   virtual std::unique_ptr<HandshakeContext> makeHandshakeContext(
-      CipherSuite cipher) const override = 0;
+      CipherSuite cipher) const = 0;
 
   virtual std::unique_ptr<KeyExchange> makeKeyExchange(
       NamedGroup group,
-      KeyExchangeMode mode) const override {
-    (void)mode;
-    switch (group) {
-      case NamedGroup::secp256r1:
-        return std::make_unique<OpenSSLECKeyExchange<P256>>();
-      case NamedGroup::secp384r1:
-        return std::make_unique<OpenSSLECKeyExchange<P384>>();
-      case NamedGroup::secp521r1:
-        return std::make_unique<OpenSSLECKeyExchange<P521>>();
-      case NamedGroup::x25519:
-        return std::make_unique<X25519KeyExchange>();
-      default:
-        throw std::runtime_error("ke: not implemented");
-    }
-  }
-
-  virtual std::unique_ptr<Aead> makeAead(CipherSuite cipher) const override {
-    switch (cipher) {
-      case CipherSuite::TLS_CHACHA20_POLY1305_SHA256:
-        return OpenSSLEVPCipher::makeCipher<ChaCha20Poly1305>();
-      case CipherSuite::TLS_AES_128_GCM_SHA256:
-        return OpenSSLEVPCipher::makeCipher<AESGCM128>();
-      case CipherSuite::TLS_AES_256_GCM_SHA384:
-        return OpenSSLEVPCipher::makeCipher<AESGCM256>();
-      case CipherSuite::TLS_AES_128_OCB_SHA256_EXPERIMENTAL:
-        return OpenSSLEVPCipher::makeCipher<AESOCB128>();
-#if FIZZ_BUILD_AEGIS
-      case CipherSuite::TLS_AEGIS_256_SHA384:
-        return AEGISCipher::make256();
-      case CipherSuite::TLS_AEGIS_128L_SHA256:
-        return AEGISCipher::make128L();
-#endif
-      default:
-        throw std::runtime_error("aead: not implemented");
-    }
-  }
-
-  virtual Random makeRandom() const override {
-    return RandomGenerator<Random().size()>().generateRandom();
-  }
-
-  virtual uint32_t makeTicketAgeAdd() const override {
-    return RandomNumGenerator<uint32_t>().generateRandom();
-  }
-
-  virtual std::unique_ptr<folly::IOBuf> makeRandomBytes(
-      size_t count) const override {
-    return RandomBufGenerator(count).generateRandom();
-  }
+      KeyExchangeMode mode) const = 0;
+
+  [[nodiscard]] virtual std::unique_ptr<Aead> makeAead(
+      CipherSuite cipher) const = 0;
+
+  [[nodiscard]] virtual Random makeRandom() const = 0;
+
+  [[nodiscard]] virtual uint32_t makeTicketAgeAdd() const = 0;
+
+  [[nodiscard]] virtual std::unique_ptr<folly::IOBuf> makeRandomBytes(
+      size_t count) const = 0;
 
   virtual std::shared_ptr<PeerCert> makePeerCert(
       CertificateEntry certEntry,
-      bool /*leaf*/) const override {
-    return CertUtils::makePeerCert(std::move(certEntry.cert_data));
-  }
-
-  virtual std::shared_ptr<Cert> makeIdentityOnlyCert(
-      std::string ident) const override {
-    return std::make_shared<IdentityCert>(std::move(ident));
-  }
-
-  virtual std::string getHkdfPrefix() const override {
-    return kHkdfLabelPrefix.str();
-  }
+      bool /*leaf*/) const = 0;
+
+  [[nodiscard]] virtual std::shared_ptr<folly::AsyncTransportCertificate>
+  makeIdentityOnlyCert(std::string ident) const = 0;
+
+  [[nodiscard]] virtual std::string getHkdfPrefix() const = 0;
 };
 } // namespace fizz