clean up hash function types

Summary: - remove the `openssl::<Hash>` types (Hash=Sha256, Sha384, Sha512) - create `openssl::Hasher` template - use that template in `openssl::Properties<Hash>` - change dependencies from `fizz::openssl::Hash` to either `fizz::Hash` or `fizz::openssl::Hasher<fizz::Hash>` Main changes are in: fbcode/fizz/backend/openssl/Hasher.h fbcode/fizz/backend/TARGETS fizz/backend/openssl/crypto/Sha256.h fizz/backend/openssl/crypto/Sha384.h fizz/backend/openssl/crypto/Sha512.h The rest are dependency changes. Reviewed By: mingtaoy Differential Revision: D55905248 fbshipit-source-id: 2dd71b6d26990d963e45e100750be1d326cb1336
facebookincubator · May 23, 2024 · ae2728a · ae2728a
1 parent 43a4594
commit ae2728a
Show file tree

Hide file tree

Showing 40 changed files with 177 additions and 159 deletions.
diff --git a/fizz/backend/BUCK b/fizz/backend/BUCK
@@ -58,3 +58,29 @@ cpp_library(
         ("openssl", None, "crypto"),
     ],
 )
+
+# TODO (zale): Remove this.
+# this is temporary for things outside backend/openssl that still need to
+# reference some openssl Propertis. But those will be cleaned up and this
+# target will be removed.
+cpp_library(
+    name = "openssl_hasher",
+    headers = [
+        "openssl/Hasher.h",
+        "openssl/Properties.h",
+        "openssl/crypto/Sha.h",
+        "openssl/crypto/Sha-inl.h",
+        "openssl/crypto/Sha256.h",
+        "openssl/crypto/Sha384.h",
+        "openssl/crypto/Sha512.h",
+    ],
+    exported_deps = [
+        "//fizz/crypto:crypto",
+        "//folly:range",
+        "//folly/io:iobuf",
+        "//folly/ssl:openssl_hash",
+    ],
+    exported_external_deps = [
+        ("openssl", None, "crypto"),
+    ],
+)
diff --git a/fizz/backend/openssl/Hasher.h b/fizz/backend/openssl/Hasher.h
@@ -0,0 +1,27 @@
+/*
+ *  Copyright (c) 2018-present, Facebook, Inc.
+ *  All rights reserved.
+ *
+ *  This source code is licensed under the BSD-style license found in the
+ *  LICENSE file in the root directory of this source tree.
+ */
+
+#pragma once
+
+#include <fizz/backend/openssl/crypto/Sha.h>
+#include <fizz/backend/openssl/crypto/Sha256.h>
+#include <fizz/backend/openssl/crypto/Sha384.h>
+#include <fizz/backend/openssl/crypto/Sha512.h>
+#include <folly/Range.h>
+
+namespace fizz::openssl {
+template <typename T>
+struct HasherType {
+  static constexpr size_t HashLen = T::HashLen;
+  static constexpr folly::StringPiece BlankHash = T::BlankHash;
+  static constexpr auto HashEngine = Properties<T>::HashEngine;
+};
+
+template <class T>
+using Hasher = Sha<HasherType<T>>;
+} // namespace fizz::openssl
diff --git a/fizz/backend/openssl/OpenSSL.h b/fizz/backend/openssl/OpenSSL.h
@@ -11,6 +11,7 @@ Include this file to use openssl features.
 
 #include <fizz/fizz-config.h>
 
+#include <fizz/backend/openssl/Hasher.h>
 #include <fizz/backend/openssl/OpenSSLFactory.h>
 #include <fizz/backend/openssl/Properties.h>
 #include <fizz/backend/openssl/certificate/CertUtils.h>

diff --git a/fizz/backend/openssl/OpenSSLFactory.cpp b/fizz/backend/openssl/OpenSSLFactory.cpp
@@ -111,10 +111,12 @@ std::unique_ptr<HandshakeContext> OpenSSLFactory::makeHandshakeContext(
     case CipherSuite::TLS_AES_128_GCM_SHA256:
     case CipherSuite::TLS_AES_128_OCB_SHA256_EXPERIMENTAL:
     case CipherSuite::TLS_AEGIS_128L_SHA256:
-      return std::make_unique<HandshakeContextImpl<Sha256>>(getHkdfPrefix());
+      return std::make_unique<HandshakeContextImpl<fizz::Sha256>>(
+          getHkdfPrefix());
     case CipherSuite::TLS_AES_256_GCM_SHA384:
     case CipherSuite::TLS_AEGIS_256_SHA512:
-      return std::make_unique<HandshakeContextImpl<Sha384>>(getHkdfPrefix());
+      return std::make_unique<HandshakeContextImpl<fizz::Sha384>>(
+          getHkdfPrefix());
     default:
       throw std::runtime_error("hs: not implemented");
   }

diff --git a/fizz/backend/openssl/crypto/Sha256.h b/fizz/backend/openssl/crypto/Sha256.h
@@ -12,25 +12,14 @@
 #include <fizz/backend/openssl/crypto/Sha.h>
 #include <fizz/crypto/Crypto.h>
 #include <openssl/evp.h>
-#include <array>
 
 namespace fizz {
 namespace openssl {
 
-class Sha256 : public Sha<Sha256> {
- public:
-  static constexpr size_t HashLen = 32;
-
-  static constexpr auto HashEngine = EVP_sha256;
-
-  static constexpr folly::StringPiece BlankHash{
-      "\xe3\xb0\xc4\x42\x98\xfc\x1c\x14\x9a\xfb\xf4\xc8\x99\x6f\xb9\x24\x27\xae\x41\xe4\x64\x9b\x93\x4c\xa4\x95\x99\x1b\x78\x52\xb8\x55"};
-};
-
 template <>
 struct Properties<fizz::Sha256> {
   static constexpr auto HashEngine = EVP_sha256;
-  // TODO: include Sha<Sha256> hasher as part of this struct.
 };
+
 } // namespace openssl
 } // namespace fizz
diff --git a/fizz/backend/openssl/crypto/Sha384.h b/fizz/backend/openssl/crypto/Sha384.h
@@ -12,25 +12,13 @@
 #include <fizz/backend/openssl/crypto/Sha.h>
 #include <fizz/crypto/Crypto.h>
 #include <openssl/evp.h>
-#include <array>
 
 namespace fizz {
 namespace openssl {
 
-class Sha384 : public Sha<Sha384> {
- public:
-  static constexpr size_t HashLen = 48;
-
-  static constexpr auto HashEngine = EVP_sha384;
-
-  static constexpr folly::StringPiece BlankHash{
-      "\x38\xb0\x60\xa7\x51\xac\x96\x38\x4c\xd9\x32\x7e\xb1\xb1\xe3\x6a\x21\xfd\xb7\x11\x14\xbe\x07\x43\x4c\x0c\xc7\xbf\x63\xf6\xe1\xda\x27\x4e\xde\xbf\xe7\x6f\x65\xfb\xd5\x1a\xd2\xf1\x48\x98\xb9\x5b"};
-};
-
 template <>
 struct Properties<fizz::Sha384> {
   static constexpr auto HashEngine = EVP_sha384;
-  // TODO: include Sha<Sha384> hasher as part of this struct.
 };
 
 } // namespace openssl

diff --git a/fizz/backend/openssl/crypto/Sha512.h b/fizz/backend/openssl/crypto/Sha512.h
@@ -12,25 +12,13 @@
 #include <fizz/backend/openssl/crypto/Sha.h>
 #include <fizz/crypto/Crypto.h>
 #include <openssl/evp.h>
-#include <array>
 
 namespace fizz {
 namespace openssl {
 
-class Sha512 : public Sha<Sha512> {
- public:
-  static constexpr size_t HashLen = 64;
-
-  static constexpr auto HashEngine = EVP_sha512;
-
-  static constexpr folly::StringPiece BlankHash{
-      "\xcf\x83\xe1\x35\x7e\xef\xb8\xbd\xf1\x54\x28\x50\xd6\x6d\x80\x07\xd6\x20\xe4\x05\x0b\x57\x15\xdc\x83\xf4\xa9\x21\xd3\x6c\xe9\xce\x47\xd0\xd1\x3c\x5d\x85\xf2\xb0\xff\x83\x18\xd2\x87\x7e\xec\x2f\x63\xb9\x31\xbd\x47\x41\x7a\x81\xa5\x38\x32\x7a\xf9\x27\xda\x3e"};
-};
-
 template <>
 struct Properties<fizz::Sha512> {
   static constexpr auto HashEngine = EVP_sha512;
-  // TODO: include Sha<Sha512> hasher as part of this struct.
 };
 
 } // namespace openssl

diff --git a/fizz/crypto/BUCK b/fizz/crypto/BUCK
@@ -24,6 +24,7 @@ cpp_library(
         "Hkdf.h",
     ],
     exported_deps = [
+        "//fizz/backend:openssl_hasher",
         "//folly/io:iobuf",
     ],
 )
@@ -38,6 +39,7 @@ cpp_library(
     ],
     exported_deps = [
         ":hkdf",
+        "//fizz/backend:openssl_hasher",
         "//fizz/record:record",
     ],
 )

diff --git a/fizz/crypto/Hkdf.h b/fizz/crypto/Hkdf.h
@@ -8,6 +8,7 @@
 
 #pragma once
 
+#include <fizz/backend/openssl/Hasher.h>
 #include <folly/io/IOBuf.h>
 
 namespace fizz {
@@ -52,7 +53,7 @@ class HkdfImpl : public Hkdf {
  public:
   template <typename Hash>
   static HkdfImpl create() {
-    return HkdfImpl(Hash::HashLen, &Hash::hmac);
+    return HkdfImpl(Hash::HashLen, &openssl::Hasher<Hash>::hmac);
   }
 
   std::vector<uint8_t> extract(folly::ByteRange salt, folly::ByteRange ikm)

diff --git a/fizz/crypto/KeyDerivation.h b/fizz/crypto/KeyDerivation.h
@@ -8,6 +8,7 @@
 
 #pragma once
 
+#include <fizz/backend/openssl/Hasher.h>
 #include <fizz/crypto/Hkdf.h>
 #include <fizz/record/Types.h>
 
@@ -68,8 +69,8 @@ class KeyDerivationImpl : public KeyDerivation {
     return KeyDerivationImpl(
         labelPrefix,
         Hash::HashLen,
-        &Hash::hash,
-        &Hash::hmac,
+        &openssl::Hasher<Hash>::hash,
+        &openssl::Hasher<Hash>::hmac,
         HkdfImpl::create<Hash>(),
         Hash::BlankHash);
   }
@@ -80,8 +81,8 @@ class KeyDerivationImpl : public KeyDerivation {
     return std::unique_ptr<KeyDerivationImpl>(new KeyDerivationImpl(
         labelPrefix,
         Hash::HashLen,
-        &Hash::hash,
-        &Hash::hmac,
+        &openssl::Hasher<Hash>::hash,
+        &openssl::Hasher<Hash>::hmac,
         HkdfImpl::create<Hash>(),
         Hash::BlankHash));
   }

diff --git a/fizz/crypto/hpke/Utils.cpp b/fizz/crypto/hpke/Utils.cpp
@@ -132,15 +132,15 @@ std::unique_ptr<Hkdf> makeHpkeHkdf(
     case KDFId::Sha256:
       return std::make_unique<Hkdf>(
           std::move(prefix),
-          std::make_unique<HkdfImpl>(HkdfImpl::create<openssl::Sha256>()));
+          std::make_unique<HkdfImpl>(HkdfImpl::create<Sha256>()));
     case KDFId::Sha384:
       return std::make_unique<Hkdf>(
           std::move(prefix),
-          std::make_unique<HkdfImpl>(HkdfImpl::create<openssl::Sha384>()));
+          std::make_unique<HkdfImpl>(HkdfImpl::create<Sha384>()));
     case KDFId::Sha512:
       return std::make_unique<Hkdf>(
           std::move(prefix),
-          std::make_unique<HkdfImpl>(HkdfImpl::create<openssl::Sha512>()));
+          std::make_unique<HkdfImpl>(HkdfImpl::create<Sha512>()));
     default:
       throw std::runtime_error("hkdf: not implemented");
   }

diff --git a/fizz/crypto/hpke/test/ContextTest.cpp b/fizz/crypto/hpke/test/ContextTest.cpp
@@ -54,7 +54,7 @@ TEST_P(HpkeContextTest, TestContext) {
       toIOBuf(kExportSecret),
       std::make_unique<fizz::hpke::Hkdf>(
           kPrefix->clone(),
-          std::make_unique<HkdfImpl>(HkdfImpl::create<openssl::Sha256>())),
+          std::make_unique<HkdfImpl>(HkdfImpl::create<Sha256>())),
       suiteId->clone(),
       fizz::hpke::HpkeContext::Role::Sender);
   auto gotCiphertext = encryptContext.seal(
@@ -70,7 +70,7 @@ TEST_P(HpkeContextTest, TestContext) {
       toIOBuf(kExportSecret),
       std::make_unique<fizz::hpke::Hkdf>(
           kPrefix->clone(),
-          std::make_unique<HkdfImpl>(HkdfImpl::create<openssl::Sha256>())),
+          std::make_unique<HkdfImpl>(HkdfImpl::create<Sha256>())),
       std::move(suiteId),
       fizz::hpke::HpkeContext::Role::Receiver);
   auto gotPlaintext = decryptContext.open(
@@ -93,7 +93,7 @@ TEST_P(HpkeContextTest, TestContextRoles) {
       toIOBuf(kExportSecret),
       std::make_unique<fizz::hpke::Hkdf>(
           kPrefix->clone(),
-          std::make_unique<HkdfImpl>(HkdfImpl::create<openssl::Sha256>())),
+          std::make_unique<HkdfImpl>(HkdfImpl::create<Sha256>())),
       suiteId->clone(),
       fizz::hpke::HpkeContext::Role::Sender);
 
@@ -105,7 +105,7 @@ TEST_P(HpkeContextTest, TestContextRoles) {
       toIOBuf(kExportSecret),
       std::make_unique<fizz::hpke::Hkdf>(
           kPrefix->clone(),
-          std::make_unique<HkdfImpl>(HkdfImpl::create<openssl::Sha256>())),
+          std::make_unique<HkdfImpl>(HkdfImpl::create<Sha256>())),
       std::move(suiteId),
       fizz::hpke::HpkeContext::Role::Receiver);
 
@@ -138,7 +138,7 @@ TEST_P(HpkeContextTest, TestExportSecret) {
         toIOBuf(testParam.exporterSecret),
         std::make_unique<fizz::hpke::Hkdf>(
             kPrefix->clone(),
-            std::make_unique<HkdfImpl>(HkdfImpl::create<openssl::Sha256>())),
+            std::make_unique<HkdfImpl>(HkdfImpl::create<Sha256>())),
         std::move(suiteId),
         role);
     auto secret = context.exportSecret(std::move(exporterContext), 32);
@@ -166,7 +166,7 @@ TEST_P(HpkeContextTest, TestExportSecretThrow) {
         toIOBuf(testParam.exporterSecret),
         std::make_unique<fizz::hpke::Hkdf>(
             kPrefix->clone(),
-            std::make_unique<HkdfImpl>(HkdfImpl::create<openssl::Sha256>())),
+            std::make_unique<HkdfImpl>(HkdfImpl::create<Sha256>())),
         std::move(suiteId),
         role);
 

diff --git a/fizz/crypto/hpke/test/DHKEMTest.cpp b/fizz/crypto/hpke/test/DHKEMTest.cpp
@@ -64,7 +64,7 @@ DHKEM getDHKEM(std::unique_ptr<KeyExchange> actualKex, NamedGroup group) {
   auto prefix = "HPKE-v1";
   auto hkdf = std::make_unique<fizz::hpke::Hkdf>(
       folly::IOBuf::copyBuffer(prefix),
-      std::make_unique<HkdfImpl>(HkdfImpl::create<openssl::Sha256>()));
+      std::make_unique<HkdfImpl>(HkdfImpl::create<Sha256>()));
   return DHKEM(
       std::make_unique<MockKeyExchange>(std::move(actualKex)),
       group,

diff --git a/fizz/crypto/test/HkdfTest.cpp b/fizz/crypto/test/HkdfTest.cpp
@@ -33,7 +33,7 @@ TEST_P(HkdfTest, TestHkdfSha256Expand) {
   auto expectedOkm = toIOBuf(GetParam().okm);
   CHECK_EQ(outputBytes, expectedOkm->length());
 
-  auto actualOkm = HkdfImpl::create<openssl::Sha256>().hkdf(
+  auto actualOkm = HkdfImpl::create<Sha256>().hkdf(
       ikm->coalesce(), salt->coalesce(), *info, outputBytes);
   EXPECT_FALSE(actualOkm->isChained());
   EXPECT_EQ(outputBytes, actualOkm->length());

diff --git a/fizz/crypto/test/KeyDerivationTest.cpp b/fizz/crypto/test/KeyDerivationTest.cpp
@@ -35,8 +35,7 @@ TEST_P(KeyDerivationTest, ExpandLabel) {
 
   auto secret = std::vector<uint8_t>(prk.begin(), prk.end());
 
-  auto deriver =
-      KeyDerivationImpl::create<openssl::Sha256>(kHkdfLabelPrefix.str());
+  auto deriver = KeyDerivationImpl::create<Sha256>(kHkdfLabelPrefix.str());
   auto out = deriver.expandLabel(
       range(secret),
       GetParam().label,
@@ -49,28 +48,23 @@ TEST_P(KeyDerivationTest, ExpandLabel) {
 TEST(KeyDerivation, DeriveSecret) {
   // dummy prk
   std::vector<uint8_t> secret(
-      KeyDerivationImpl::create<openssl::Sha256>(kHkdfLabelPrefix.str())
-          .hashLength());
+      KeyDerivationImpl::create<Sha256>(kHkdfLabelPrefix.str()).hashLength());
   std::vector<uint8_t> messageHash(
-      KeyDerivationImpl::create<openssl::Sha256>(kHkdfLabelPrefix.str())
-          .hashLength());
-  auto deriver =
-      KeyDerivationImpl::create<openssl::Sha256>(kHkdfLabelPrefix.str());
+      KeyDerivationImpl::create<Sha256>(kHkdfLabelPrefix.str()).hashLength());
+  auto deriver = KeyDerivationImpl::create<Sha256>(kHkdfLabelPrefix.str());
   deriver.deriveSecret(
       range(secret), "hey", range(messageHash), deriver.hashLength());
 }
 
 TEST(KeyDerivation, Sha256BlankHash) {
   std::vector<uint8_t> computed(
-      KeyDerivationImpl::create<openssl::Sha256>(kHkdfLabelPrefix.str())
-          .hashLength());
+      KeyDerivationImpl::create<Sha256>(kHkdfLabelPrefix.str()).hashLength());
   folly::IOBuf blankBuf;
-  openssl::Sha256::hash(
+  openssl::Hasher<Sha256>::hash(
       blankBuf, MutableByteRange(computed.data(), computed.size()));
   EXPECT_EQ(
-      StringPiece(
-          KeyDerivationImpl::create<openssl::Sha256>(kHkdfLabelPrefix.str())
-              .blankHash()),
+      StringPiece(KeyDerivationImpl::create<Sha256>(kHkdfLabelPrefix.str())
+                      .blankHash()),
       StringPiece(folly::range(computed)));
 }
 

diff --git a/fizz/experimental/batcher/Batcher.h b/fizz/experimental/batcher/Batcher.h
@@ -137,7 +137,7 @@ class Batcher {
  * A batcher to store and manage the Merkle Tree globally for multiple threads.
  * The underlying Merkle Tree will be shared by all threads.
  */
-template <typename Hash = openssl::Sha256>
+template <typename Hash = Sha256>
 class SynchronizedBatcher : public Batcher<Hash> {
  public:
   SynchronizedBatcher(
@@ -196,7 +196,7 @@ class SynchronizedBatcher : public Batcher<Hash> {
  * A batcher to store and manage the Merkle Tree for each thread.
  * Each thread will have a Merkle Tree.
  */
-template <typename Hash = openssl::Sha256>
+template <typename Hash = Sha256>
 class ThreadLocalBatcher : public Batcher<Hash> {
  public:
   ThreadLocalBatcher(