[core] A crypto service provider based on Botan (#2700).

Haivision · Sep 19, 2023 · 37e6588 · 37e6588
1 parent 218c7fd
commit 37e6588
Show file tree

Hide file tree

Showing 11 changed files with 694 additions and 21 deletions.
diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -232,7 +232,7 @@ if (NOT USE_ENCLIB)
 endif()
 
 set(USE_ENCLIB "${USE_ENCLIB}" CACHE STRING "The crypto library that SRT uses")
-set_property(CACHE USE_ENCLIB PROPERTY STRINGS "openssl" "gnutls" "mbedtls")
+set_property(CACHE USE_ENCLIB PROPERTY STRINGS "openssl" "gnutls" "mbedtls" "botan")
 
 # Make sure DLLs and executabes go to the same path regardles of subdirectory
 set(CMAKE_ARCHIVE_OUTPUT_DIRECTORY ${CMAKE_BINARY_DIR})
@@ -404,6 +404,46 @@ if (ENABLE_ENCRYPTION)
 			set (SSL_LIBRARIES ${OPENSSL_LIBRARIES})
 			message(STATUS "SSL via find_package(OpenSSL): -I ${SSL_INCLUDE_DIRS} -l;${SSL_LIBRARIES}")
 		endif()
+	elseif ("${USE_ENCLIB}" STREQUAL "botan")
+		add_definitions(-DUSE_BOTAN=1 -DCRYSPR2)
+		set (SSL_REQUIRED_MODULES "botan")
+		find_package(Botan 3.0.0 REQUIRED)
+		botan_generate(
+			botan
+			ffi
+			nist_keywrap
+			aes_armv8
+			aes_ni
+			aes_power8
+			aes_vperm
+			idea_sse2
+			serpent_avx2
+			shacal2_armv8
+			shacal2_avx2
+			shacal2_x86
+			sm4_armv8
+			rdseed
+			sha1_armv8
+			sha1_sse2
+			sha1_x86
+			sha2_32_armv8
+			sha2_32_bmi2
+			sha2_32_x86
+			sha2_64_bmi2
+			sha3_bmi2
+			zfec_sse2
+			zfec_vperm
+			argon2_avx2
+			argon2_ssse3
+			processor_rng
+			chacha_avx2
+			ghash_cpu
+			ghash_vperm
+			simd
+			simd_avx2)
+		target_compile_features("botan" PRIVATE "cxx_std_20")
+		set (SSL_INCLUDE_DIRS ${CMAKE_CURRENT_BINARY_DIR})
+		set (SSL_LIBRARIES "botan")
 	else() # openssl
 		# Openssl (Direct-AES API) can use CRYSPR2
 		add_definitions(-DUSE_OPENSSL=1 -DCRYSPR2)
@@ -445,11 +485,11 @@ if (ENABLE_ENCRYPTION)
 	message (STATUS "SSL libraries: ${SSL_LIBRARIES}")
 
 	if (ENABLE_AEAD_API_PREVIEW)
-		if ("${USE_ENCLIB}" STREQUAL "openssl-evp")
+		if (("${USE_ENCLIB}" STREQUAL "openssl-evp") OR ("${USE_ENCLIB}" STREQUAL "botan"))
 			add_definitions(-DENABLE_AEAD_API_PREVIEW)
 			message(STATUS "ENCRYPTION AEAD API: ENABLED")
 		else()
-			message(FATAL_ERROR "ENABLE_AEAD_API_PREVIEW is only available with USE_ENCLIB=openssl-evp!")
+			message(FATAL_ERROR "ENABLE_AEAD_API_PREVIEW is only available with USE_ENCLIB=[openssl-evp | botan]!")
 		endif()
 	else()
 		message(STATUS "ENCRYPTION AEAD API: DISABLED")
@@ -1009,10 +1049,12 @@ if (srt_libspec_shared)
 	endif()
 	if (MICROSOFT)
 		target_link_libraries(${TARGET_srt}_shared PRIVATE ws2_32.lib)
-		if (OPENSSL_USE_STATIC_LIBS)
-			target_link_libraries(${TARGET_srt}_shared PRIVATE crypt32.lib)
-		else()
-			set_target_properties(${TARGET_srt}_shared PROPERTIES LINK_FLAGS "/DELAYLOAD:libeay32.dll")
+		if (NOT (ENABLE_ENCRYPTION AND "${USE_ENCLIB}" STREQUAL "botan"))
+			if (OPENSSL_USE_STATIC_LIBS)
+				target_link_libraries(${TARGET_srt}_shared PRIVATE crypt32.lib)
+			else()
+				set_target_properties(${TARGET_srt}_shared PROPERTIES LINK_FLAGS "/DELAYLOAD:libeay32.dll")
+			endif()
 		endif()
 	elseif (MINGW)
 		target_link_libraries(${TARGET_srt}_shared PRIVATE wsock32 ws2_32)
@@ -1096,6 +1138,10 @@ endif()
 
 target_compile_definitions(srt_virtual PRIVATE -DSRT_LOG_SLOWDOWN_FREQ_MS=${SRT_LOG_SLOWDOWN_FREQ_MS})
 
+if (ENABLE_ENCRYPTION AND "${USE_ENCLIB}" STREQUAL "botan")
+	add_dependencies(srt_virtual botan)
+endif()
+
 if (srt_libspec_shared)
 	if (MICROSOFT)
 		target_link_libraries(${TARGET_srt}_shared PUBLIC Ws2_32.lib)

diff --git a/configure-data.tcl b/configure-data.tcl
@@ -67,7 +67,7 @@ set cmake_options {
     enable-clang-tsa "Enable Clang's Thread-Safety-Analysis (default: OFF)"
     atomic-use-srt-sync-mutex "Use mutex to implement atomics (alias: --with-atomic=sync-mutex) (default: OFF)"
 
-    use-enclib "Encryption library to be used: openssl(default), gnutls, mbedtls"
+    use-enclib "Encryption library to be used: openssl(default), gnutls, mbedtls, botan"
     enable-debug=<0,1,2> "Enable debug mode (0=disabled, 1=debug, 2=rel-with-debug)"
     pkg-config-executable=<filepath> "pkg-config executable"
     openssl-crypto-library=<filepath> "OpenSSL: Path to a libcrypto library."
@@ -374,6 +374,10 @@ proc postprocess {} {
 	if { $::HAVE_DARWIN && !$toolchain_changed } {
 		set use_brew 1
 	}
+	if { [info exists ::optval(--use-enclib)] && $::optval(--use-enclib) == "botan"} {
+		set use_brew 0
+	}
+
 	if { $use_brew } {
 		foreach item $::cmakeopt {
 			if { [string first "Android" $item] != -1 } {

diff --git a/docs/build/build-options.md b/docs/build/build-options.md
@@ -61,7 +61,7 @@ Option details are given further below.
 | [`SRT_LOG_SLOWDOWN_FREQ_MS`](#SRT_LOG_SLOWDOWN_FREQ_MS)      | 1.5.2 | `INT`     | 1000\*     | Reduce the frequency of some frequent logs, milliseconds.                                                                                            |
 | [`USE_BUSY_WAITING`](#use_busy_waiting)                      | 1.3.3 | `BOOL`    | OFF        | Enables more accurate sending times at the cost of potentially higher CPU load.                                                                      |
 | [`USE_CXX_STD`](#use_cxx_std)                                | 1.4.2 | `STRING`  | OFF        | Enforces using a particular C++ standard (11, 14, 17, etc.) when compiling.                                                                          |
-| [`USE_ENCLIB`](#use_enclib)                                  | 1.3.3 | `STRING`  | openssl    | Encryption library to be used (`openssl`, `openssl-evp` (since 1.5.1), `gnutls`, `mbedtls`).                                                         |
+| [`USE_ENCLIB`](#use_enclib)                                  | 1.3.3 | `STRING`  | openssl    | Encryption library to be used (`openssl`, `openssl-evp` (since 1.5.1), `gnutls`, `mbedtls`, `botan` (since 1.6.0)).                                                         |
 | [`USE_GNUSTL`](#use_gnustl)                                  | 1.3.4 | `BOOL`    | OFF        | Use `pkg-config` with the `gnustl` package name to extract the header and library path for the C++ standard library.                                 |
 | [`USE_OPENSSL_PC`](#use_openssl_pc)                          | 1.3.0 | `BOOL`    | ON         | Use `pkg-config` to find OpenSSL libraries.                                                                                                          |
 | [`OPENSSL_USE_STATIC_LIBS`](#openssl_use_static_libs)        | 1.5.0 | `BOOL`    | OFF        | Link OpenSSL statically.                                                                                                                             |
@@ -275,8 +275,9 @@ use encryption for the connection.
 **`--enable-aead-api-preview`** (default: OFF)
 
 When ON, the AEAD API is enabled. The `ENABLE_ENCRYPTION` must be enabled as well.
-The AEAD functionality is only available if OpenSSL EVP is selected as the crypto provider:
-build option should be set to `USE_ENCLIB=openssl-evp`.
+The AEAD functionality is only available if either OpenSSL EVP or Botan is selected
+as the crypto provider:
+build option `-DUSE_ENCLIB=[openssl-evp | botan]`.  
 
 The AEAD API is to be official in SRT v1.6.0.
 
@@ -600,6 +601,7 @@ Encryption library to be used. Possible options for `<name>`:
 * openssl-evp (OpenSSL EVP API, since 1.5.1)
 * gnutls (with nettle)
 * mbedtls
+* botan
 
 
 #### USE_GNUSTL