src: move more crypto impl detail to ncrypto dep

* remove obsolete LogSecret function * move StackOfX509 decl to ncrypto * colocate GetSSLOCSPResponse with callsite * move x509 error code and reason to ncrypto * simplify X509Pointer/X509View pointer derefs a bit * move prime gen and checks to ncrypto * move BN_* methods into ncrypto * move SSLPointer impl to ncrypto * move SSLCtxPointer impl to ncrypto * move EVP_CIPHER methods to ncrypto * move CipherCtx methods to ncrypto PR-URL: #56421 Reviewed-By: Yagiz Nizipli <[email protected]>

Author: jasnell

deps/ncrypto/ncrypto.cc

@@ -13,6 +13,7 @@
 #include<openssl/ssl.h>
 #include<openssl/x509.h>
 #include<cstddef>
+#include<functional>
 #include<list>
 #include<memory>
 #include<optional>
@@ -195,7 +196,7 @@ template <typename T, void (*function)(T*)>
 using DeleteFnPtr = typename FunctionDeleter<T, function>::Pointer;
 
 using BignumCtxPointer = DeleteFnPtr<BN_CTX, BN_CTX_free>
-usingCipherCtxPointer = DeleteFnPtr<EVP_CIPHER_CTX, EVP_CIPHER_CTX_free>
+usingBignumGenCallbackPointer = DeleteFnPtr<BN_GENCB, BN_GENCB_free>
 using DSAPointer = DeleteFnPtr<DSA, DSA_free>
 using DSASigPointer = DeleteFnPtr<DSA_SIG, DSA_SIG_free>
 using ECDSASigPointer = DeleteFnPtr<ECDSA_SIG, ECDSA_SIG_free>
@@ -209,10 +210,10 @@ using HMACCtxPointer = DeleteFnPtr<HMAC_CTX, HMAC_CTX_free>
 using NetscapeSPKIPointer = DeleteFnPtr<NETSCAPE_SPKI, NETSCAPE_SPKI_free>
 using PKCS8Pointer = DeleteFnPtr<PKCS8_PRIV_KEY_INFO, PKCS8_PRIV_KEY_INFO_free>
 using RSAPointer = DeleteFnPtr<RSA, RSA_free>
-using SSLCtxPointer = DeleteFnPtr<SSL_CTX, SSL_CTX_free>
-using SSLPointer = DeleteFnPtr<SSL, SSL_free>
 using SSLSessionPointer = DeleteFnPtr<SSL_SESSION, SSL_SESSION_free>
 
+classCipherCtxPointer;
+
 structStackOfXASN1Deleter{
 voidoperator()(STACK_OF(ASN1_OBJECT) * p) const{
 sk_ASN1_OBJECT_pop_free(p, ASN1_OBJECT_free);
@@ -227,6 +228,40 @@ struct Buffer{
 size_t len = 0;
 };
 
+classCipherfinal{
+public:
+Cipher() = default;
+Cipher(const EVP_CIPHER* cipher) : cipher_(cipher){}
+Cipher(const Cipher&) = default;
+ Cipher& operator=(const Cipher&) = default;
+inline Cipher& operator=(const EVP_CIPHER* cipher){
+ cipher_ = cipher;
+return *this;
+ }
+NCRYPTO_DISALLOW_MOVE(Cipher)
+
+inlineconst EVP_CIPHER* get() const{return cipher_}
+inlineoperatorconst EVP_CIPHER*() const{return cipher_}
+inlineoperatorbool() const{return cipher_ != nullptr}
+
+intgetNid() const;
+intgetMode() const;
+intgetIvLength() const;
+intgetKeyLength() const;
+intgetBlockSize() const;
+ std::string_view getModeLabel() const;
+ std::string_view getName() const;
+
+boolisSupportedAuthenticatedMode() const;
+
+staticconst Cipher FromName(constchar* name);
+staticconst Cipher FromNid(int nid);
+staticconst Cipher FromCtx(const CipherCtxPointer& ctx);
+
+private:
+const EVP_CIPHER* cipher_ = nullptr;
+};
+
 // A managed pointer to a buffer of data. When destroyed the underlying
 // buffer will be freed.
 classDataPointerfinal{
@@ -272,6 +307,7 @@ class BIOPointer final{
 static BIOPointer NewSecMem();
 static BIOPointer New(const BIO_METHOD* method);
 static BIOPointer New(constvoid* data, size_t len);
+static BIOPointer New(const BIGNUM* bn);
 static BIOPointer NewFile(std::string_view filename, std::string_view mode);
 static BIOPointer NewFp(FILE* fd, int flags);
 
@@ -350,8 +386,28 @@ class BignumPointer final{
 size_tencodeInto(unsignedchar* out) const;
 size_tencodePaddedInto(unsignedchar* out, size_t size) const;
 
+using PrimeCheckCallback = std::function<bool(int, int)>
+intisPrime(int checks,
+ PrimeCheckCallback cb = defaultPrimeCheckCallback) const;
+structPrimeConfig{
+int bits;
+bool safe = false;
+const BignumPointer& add;
+const BignumPointer& rem;
+ };
+
+static BignumPointer NewPrime(
+const PrimeConfig& params,
+ PrimeCheckCallback cb = defaultPrimeCheckCallback);
+
+boolgenerate(const PrimeConfig& params,
+ PrimeCheckCallback cb = defaultPrimeCheckCallback) const;
+
 static BignumPointer New();
 static BignumPointer NewSecure();
+static BignumPointer NewSub(const BignumPointer& a, const BignumPointer& b);
+static BignumPointer NewLShift(size_t length);
+
 static DataPointer Encode(const BIGNUM* bn);
 static DataPointer EncodePadded(const BIGNUM* bn, size_t size);
 staticsize_tEncodePaddedInto(const BIGNUM* bn,
@@ -366,6 +422,53 @@ class BignumPointer final{
 
 private:
  DeleteFnPtr<BIGNUM, BN_clear_free> bn_;
+
+staticbooldefaultPrimeCheckCallback(int, int){return1}
+};
+
+classCipherCtxPointerfinal{
+public:
+static CipherCtxPointer New();
+
+CipherCtxPointer() = default;
+explicitCipherCtxPointer(EVP_CIPHER_CTX* ctx);
+CipherCtxPointer(CipherCtxPointer&& other) noexcept;
+ CipherCtxPointer& operator=(CipherCtxPointer&& other) noexcept;
+NCRYPTO_DISALLOW_COPY(CipherCtxPointer)
+~CipherCtxPointer();
+
+inlinebooloperator==(std::nullptr_t) constnoexcept{
+return ctx_ == nullptr;
+ }
+inlineoperatorbool() const{return ctx_ != nullptr}
+inline EVP_CIPHER_CTX* get() const{return ctx_.get()}
+inlineoperator EVP_CIPHER_CTX*() const{return ctx_.get()}
+voidreset(EVP_CIPHER_CTX* ctx = nullptr);
+ EVP_CIPHER_CTX* release();
+
+voidsetFlags(int flags);
+boolsetKeyLength(size_t length);
+boolsetIvLength(size_t length);
+boolsetAeadTag(const Buffer<constchar>& tag);
+boolsetAeadTagLength(size_t length);
+boolsetPadding(bool padding);
+boolinit(const Cipher& cipher,
+bool encrypt,
+constunsignedchar* key = nullptr,
+constunsignedchar* iv = nullptr);
+
+intgetBlockSize() const;
+intgetMode() const;
+intgetNid() const;
+
+boolupdate(const Buffer<constunsignedchar>& in,
+unsignedchar* out,
+int* out_len,
+bool finalize = false);
+boolgetAeadTag(size_t len, unsignedchar* out);
+
+private:
+ DeleteFnPtr<EVP_CIPHER_CTX, EVP_CIPHER_CTX_free> ctx_;
 };
 
 classEVPKeyPointerfinal{
@@ -551,7 +654,85 @@ class DHPointer final{
  DeleteFnPtr<DH, DH_free> dh_;
 };
 
+structStackOfX509Deleter{
+voidoperator()(STACK_OF(X509) * p) const{sk_X509_pop_free(p, X509_free)}
+};
+using StackOfX509 = std::unique_ptr<STACK_OF(X509), StackOfX509Deleter>
+
 classX509Pointer;
+classX509View;
+
+classSSLCtxPointerfinal{
+public:
+SSLCtxPointer() = default;
+explicitSSLCtxPointer(SSL_CTX* ctx);
+SSLCtxPointer(SSLCtxPointer&& other) noexcept;
+ SSLCtxPointer& operator=(SSLCtxPointer&& other) noexcept;
+NCRYPTO_DISALLOW_COPY(SSLCtxPointer)
+~SSLCtxPointer();
+
+inlinebooloperator==(std::nullptr_t) constnoexcept{
+return ctx_ == nullptr;
+ }
+inlineoperatorbool() const{return ctx_ != nullptr}
+inline SSL_CTX* get() const{return ctx_.get()}
+voidreset(SSL_CTX* ctx = nullptr);
+voidreset(const SSL_METHOD* method);
+ SSL_CTX* release();
+
+boolsetGroups(constchar* groups);
+voidsetStatusCallback(auto callback){
+if (!ctx_) return;
+SSL_CTX_set_tlsext_status_cb(get(), callback);
+SSL_CTX_set_tlsext_status_arg(get(), nullptr);
+ }
+
+static SSLCtxPointer NewServer();
+static SSLCtxPointer NewClient();
+static SSLCtxPointer New(const SSL_METHOD* method = TLS_method());
+
+private:
+ DeleteFnPtr<SSL_CTX, SSL_CTX_free> ctx_;
+};
+
+classSSLPointerfinal{
+public:
+SSLPointer() = default;
+explicitSSLPointer(SSL* ssl);
+SSLPointer(SSLPointer&& other) noexcept;
+ SSLPointer& operator=(SSLPointer&& other) noexcept;
+NCRYPTO_DISALLOW_COPY(SSLPointer)
+~SSLPointer();
+
+inlinebooloperator==(std::nullptr_t) noexcept{return ssl_ == nullptr}
+inlineoperatorbool() const{return ssl_ != nullptr}
+inline SSL* get() const{return ssl_.get()}
+inlineoperator SSL*() const{return ssl_.get()}
+voidreset(SSL* ssl = nullptr);
+ SSL* release();
+
+boolsetSession(const SSLSessionPointer& session);
+boolsetSniContext(const SSLCtxPointer& ctx) const;
+
+const std::string_view getClientHelloAlpn() const;
+const std::string_view getClientHelloServerName() const;
+
+ std::optional<const std::string_view> getServerName() const;
+ X509View getCertificate() const;
+ EVPKeyPointer getPeerTempKey() const;
+const SSL_CIPHER* getCipher() const;
+boolisServer() const;
+
+ std::optional<uint32_t> verifyPeerCertificate() const;
+
+voidgetCiphers(std::function<void(const std::string_view)> cb) const;
+
+static SSLPointer New(const SSLCtxPointer& ctx);
+static std::optional<const std::string_view> GetServerName(const SSL* ssl);
+
+private:
+ DeleteFnPtr<SSL, SSL_free> ssl_;
+};
 
 classX509Viewfinal{
 public:
@@ -565,6 +746,8 @@ class X509View final{
 NCRYPTO_DISALLOW_MOVE(X509View)
 
 inline X509* get() const{returnconst_cast<X509*>(cert_)}
+inlineoperator X509*() const{returnconst_cast<X509*>(cert_)}
+inlineoperatorconst X509*() const{return cert_}
 
 inlinebooloperator==(std::nullptr_t) noexcept{return cert_ == nullptr}
 inlineoperatorbool() const{return cert_ != nullptr}
@@ -589,6 +772,8 @@ class X509View final{
 boolcheckPrivateKey(const EVPKeyPointer& pkey) const;
 boolcheckPublicKey(const EVPKeyPointer& pkey) const;
 
+ std::optional<std::string> getFingerprint(const EVP_MD* method) const;
+
  X509Pointer clone() const;
 
 enumclassCheckMatch{
@@ -624,12 +809,17 @@ class X509Pointer final{
 inlinebooloperator==(std::nullptr_t) noexcept{return cert_ == nullptr}
 inlineoperatorbool() const{return cert_ != nullptr}
 inline X509* get() const{return cert_.get()}
+inlineoperator X509*() const{return cert_.get()}
+inlineoperatorconst X509*() const{return cert_.get()}
 voidreset(X509* cert = nullptr);
  X509* release();
 
  X509View view() const;
 operatorX509View() const{returnview()}
 
+static std::string_view ErrorCode(int32_t err);
+static std::optional<std::string_view> ErrorReason(int32_t err);
+
 private:
  DeleteFnPtr<X509, X509_free> cert_;
 };