A crypto service provider based on Botan

[oviano]

As my project primarily uses Botan (https://botan.randombit.net) I decided to write a Botan cryspr for SRT so that I could drop my dependency on multiple crypto libs.

I'm sharing this in case it is of interest to anyone. I've not integrated this into the SRT build system(s) at this stage as I do not use them; instead dropping the SRT files directly into my projects.

[jeandube]

Wow!, A C++ crypto lib integrated in a C++ protocol via a "C" cryspr.
@oviano A quick look shows that this Botan cryspr does not supports AEAD (AES-GCM). Was it by choice or because you made it from a template that does not support it. Not a complain, since only openssl-evp cryspr supports it. I try to figure the path you took for this development.

[oviano]

So, it's a work in progress at the moment - I've only just realised Botan has a C API wrapper so I'm changing it to use that in any case, then I don't need to have the botan_sys workaround for the C++/C problem and it makes things cleaner.

I started by looking at MBedTLS, then realised that ECB wasn't supported by Botan, but it has AES keywrap functions so I enabled that option.

I will look a AES-GCM - I expect Botan does support that, so I'll have a look at the openssl-eve wrapper....

More to come later anyway.

[maxsharabayko]

Thnk you for the proposal, @oviano!
Please also consider extending the CMake build option USE_ENCLIB=botan.

[oviano]

Thnk you for the proposal, @oviano!
Please also consider extending the CMake build option USE_ENCLIB=botan.

Yes, I will look at that once I've got AES-GCM working.

[randombit]

@oviano Just a FYI - AES-GCM is certainly supported. Also ECB is available, both via the C and C++ APIs, but only via the raw block cipher interface. Eg in the C API botan_block_cipher_encrypt_blocks == ECB encryption.

[oviano]

@oviano Just a FYI - AES-GCM is certainly supported. Also ECB is available, both via the C and C++ APIs, but only via the raw block cipher interface. Eg in the C API botan_block_cipher_encrypt_blocks == ECB encryption.

Great thanks for the info. I’ve just committed AES-GCM support actually. ECB seems like a fallback option for when CTR or GCM is not available in the cryptolib so doesn’t seem much point in adding.

[codecov-commenter]

Codecov Report

Merging #2700 (162fc4e) into master (6fcff6d) will increase coverage by 0.01%.
The diff coverage is n/a.

📣 This organization is not using Codecov’s GitHub App Integration. We recommend you install it so Codecov can continue to function properly for your repositories. Learn more

@@            Coverage Diff             @@
##           master    #2700      +/-   ##
==========================================
+ Coverage   67.11%   67.13%   +0.01%     
==========================================
  Files          99       99              
  Lines       20174    20174              
==========================================
+ Hits        13540    13544       +4     
+ Misses       6634     6630       -4     

see 10 files with indirect coverage changes

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

[oviano]

So it now works with both AES-CTR and AES-GCM, and the only thing it needs is someone to finish off what is required in CMakeLists.txt to allow it to find the Botan install and link to the relevant libraries etc.

I don't have enough experience with CMake for this to be something trivial for me.

[oviano]

Thnk you for the proposal, @oviano!
Please also consider extending the CMake build option USE_ENCLIB=botan.

I've now integrated this into the CMake system and I have built it on Android (macOS host), macOS, iOS, Windows and Linux (Ubuntu 22.04 VM).

Here is a summary of the build commands necessary:

Android (armv7a, armv8a, x86, x86_64)

./build-android -n /Users/Oliver/Library/Android/sdk/ndk/25.1.8937393 -e botan -t armeabi-v7a
./build-android -n /Users/Oliver/Library/Android/sdk/ndk/25.1.8937393 -e botan -t arm64-v8a
./build-android -n /Users/Oliver/Library/Android/sdk/ndk/25.1.8937393 -e botan -t x86
./build-android -n /Users/Oliver/Library/Android/sdk/ndk/25.1.8937393 -e botan -t x86_64

iOS (arm64, armv7)

./configure --cmake-toolchain-file=scripts/iOS.cmake --ios-arch=arm64 --use-enclib=botan --botan-os=ios --botan-cpu=arm64
make
./configure --cmake-toolchain-file=scripts/iOS.cmake --ios-arch=armv7 --use-enclib=botan --botan-os=ios --botan-cpu=armv7
make

macOS (arm64, x86_64)

./configure --CMAKE_OSX_ARCHITECTURES=arm64 --use-enclib=botan --botan-os=macos --botan-cpu=arm64
make
./configure --CMAKE_OSX_ARCHITECTURES=x86_64 --use-enclib=botan --botan-os=macos --botan-cpu=x86_64
make

Windows (x86_64)

cmake . -G"Visual Studio 17 2022" -A x64 -DUSE_ENCLIB=botan -DBOTAN_OS=windows -DBOTAN_CPU=x86_64
cmake --build .

Linux (x86_64)

./configure --use-enclib=botan --botan-os=linux --botan-cpu=x86_64
make

Specifying the enclib as botan triggers FindBotan.cmake to be used (this is in the scripts folder), which downloads the latest Botan release source code from GitHub, creates the amalgamation files and builds a simple static library which is then linked to srt.

It's all automatic, except for having to pass in botan-os and botan-cpu as shown above to tell Botan to configure the amalgamation files correctly (including the required intrinsics, for example).