[core] Added OpenSSL EVP API support to HaiCrypt (#2333).

CMake option -DUSE_ENCLIB=openssl-evp.
TCL configure script --use-enclib=openssl-evp.

CMakeLists.txt

@@ -15,13 +15,13 @@ include(haiUtil) # needed for set_version_variables
 # CMake version 3.0 introduced the VERSION option of the project() command
 # to specify a project version as well as the name.
 if(${CMAKE_VERSION} VERSION_LESS "3.0.0")
-  project(SRT C CXX)
-  # Sets SRT_VERSION_MAJOR, SRT_VERSION_MINOR, SRT_VERSION_PATCH
-  set_version_variables(SRT_VERSION ${SRT_VERSION})
+	project(SRT C CXX)
+	# Sets SRT_VERSION_MAJOR, SRT_VERSION_MINOR, SRT_VERSION_PATCH
+	set_version_variables(SRT_VERSION ${SRT_VERSION})
 else()
-  cmake_policy(SET CMP0048 NEW)
-  # Also sets SRT_VERSION_MAJOR, SRT_VERSION_MINOR, SRT_VERSION_PATCH
-  project(SRT VERSION ${SRT_VERSION} LANGUAGES C CXX)
+	cmake_policy(SET CMP0048 NEW)
+	# Also sets SRT_VERSION_MAJOR, SRT_VERSION_MINOR, SRT_VERSION_PATCH
+	project(SRT VERSION ${SRT_VERSION} LANGUAGES C CXX)
 endif()
 
 include(FindPkgConfig)
@@ -339,8 +339,9 @@ if (ENABLE_ENCRYPTION)
 				set(SRT_LIBS_PRIVATE ${SRT_LIBS_PRIVATE} "-l${LIB}")
 			endif()
 		endforeach()
-	else() # openssl
-		add_definitions(-DUSE_OPENSSL=1)
+	elseif ("${USE_ENCLIB}" STREQUAL "openssl-evp")
+		# Openssl-EVP requires CRYSPR2
+		add_definitions(-DUSE_OPENSSL_EVP=1 -DCRYSPR2)
 		set (SSL_REQUIRED_MODULES "openssl libcrypto")
 		# Try using pkg-config method first if enabled,
 		# fall back to find_package method otherwise
@@ -365,6 +366,39 @@ if (ENABLE_ENCRYPTION)
 			endif()
 			endif()
 
+			link_directories(
+				${SSL_LIBRARY_DIRS}
+			)
+			message(STATUS "SSL via pkg-config: -L ${SSL_LIBRARY_DIRS} -I ${SSL_INCLUDE_DIRS} -l;${SSL_LIBRARIES}")
+		else()
+			find_package(OpenSSL REQUIRED)
+			set (SSL_INCLUDE_DIRS ${OPENSSL_INCLUDE_DIR})
+			set (SSL_LIBRARIES ${OPENSSL_LIBRARIES})
+			message(STATUS "SSL via find_package(OpenSSL): -I ${SSL_INCLUDE_DIRS} -l;${SSL_LIBRARIES}")
+		endif()
+	else() # openssl
+		# Openssl (Direct-AES API) can use CRYSPR2
+		add_definitions(-DUSE_OPENSSL=1 -DCRYSPR2)
+			set (SSL_REQUIRED_MODULES "openssl libcrypto")
+		# Try using pkg-config method first if enabled,
+		# fall back to find_package method otherwise
+		if (USE_OPENSSL_PC)
+			pkg_check_modules(SSL ${SSL_REQUIRED_MODULES})
+		endif()
+		if (SSL_FOUND)
+			# We have some cases when pkg-config is improperly configured
+			# When it doesn't ship the -L and -I options, and the CMAKE_PREFIX_PATH
+			# is set (also through `configure`), then we have this problem. If so,
+			# set forcefully the -I and -L contents to prefix/include and
+			# prefix/lib.
+			if ("${SSL_LIBRARY_DIRS}" STREQUAL "")
+			if (NOT "${CMAKE_PREFIX_PATH}" STREQUAL "")
+				message(STATUS "WARNING: pkg-config has incorrect prefix - enforcing target path prefix: ${CMAKE_PREFIX_PATH}")
+				set (SSL_LIBRARY_DIRS ${CMAKE_PREFIX_PATH}/${CMAKE_INSTALL_LIBDIR})
+				set (SSL_INCLUDE_DIRS ${CMAKE_PREFIX_PATH}/include)
+			endif()
+			endif()
+
 			link_directories(
 				${SSL_LIBRARY_DIRS}
 			)

docs/build/build-options.md

@@ -58,7 +58,7 @@ Option details are given further below.
 | [`PTHREAD_LIBRARY`](#pthread_library)                        | 1.3.0 | `STRING`  | OFF        | Configures the path to a pthread library.  |
 | [`USE_BUSY_WAITING`](#use_busy_waiting)                      | 1.3.3 | `BOOL`    | OFF        | Enables more accurate sending times at the cost of potentially higher CPU load. |
 | [`USE_CXX_STD`](#use_cxx_std)                                | 1.4.2 | `STRING`  | OFF        | Enforces using a particular C++ standard (11, 14, 17, etc.) when compiling. |
-| [`USE_ENCLIB`](#use_enclib)                                  | 1.3.3 | `STRING`  | openssl    | Encryption library to be used (`openssl`, `gnutls`, `mbedtls`).  |
+| [`USE_ENCLIB`](#use_enclib)                                  | 1.3.3 | `STRING`  | openssl    | Encryption library to be used (`openssl`, `openssl-evp` (since 1.5.1-dev), `gnutls`, `mbedtls`).  |
 | [`USE_GNUSTL`](#use_gnustl)                                  | 1.3.4 | `BOOL`    | OFF        | Use `pkg-config` with the `gnustl` package name to extract the header and library path for the C++ standard library.  |
 | [`USE_OPENSSL_PC`](#use_openssl_pc)                          | 1.3.0 | `BOOL`    | ON         | Use `pkg-config` to find OpenSSL libraries.  |
 | [`OPENSSL_USE_STATIC_LIBS`](#openssl_use_static_libs)        | 1.5.0 | `BOOL`    | OFF        | Link OpenSSL statically.  |
@@ -456,12 +456,7 @@ will be run as part of the build process. This is intended for developers only.
 **`--openssl-crypto-library=<filepath>`**
 
 Used to configure the path to an OpenSSL crypto library. Ignored when encryption 
-is disabled (ENABLE_ENCRYPTION = OFF). Supported libraries are:
-
-  - openssl (default)
-  - gnutls
-  - mbedtls
-
+is disabled (ENABLE_ENCRYPTION = OFF). See [`USE_ENCLIB`](#use_enclib) for the list of supported libraries.
 
 [:arrow_up: &nbsp; Back to List of Build Options](#list-of-build-options)
 
@@ -534,6 +529,7 @@ remember that:
 Encryption library to be used. Possible options for `<name>`:
 
 * openssl (default)
+* openssl-evp (OpenSSL EVP API, since 1.5.1-dev)
 * gnutls (with nettle)
 * mbedtls
 

haicrypt/cryspr-config.h

@@ -9,6 +9,10 @@
 #include "cryspr-openssl.h"
 #define cryspr4SRT()  crysprOpenSSL()
 #define CRYSPR_IMPL_DESC "OpenSSL-AES"
+#elif defined(USE_OPENSSL_EVP)
+#include "cryspr-openssl-evp.h"
+#define cryspr4SRT()  crysprOpenSSL_EVP()
+#define CRYSPR_IMPL_DESC "OpenSSL-EVP"
 #elif defined(USE_GNUTLS)
 #include "cryspr-gnutls.h"
 #define cryspr4SRT()  crysprGnuTLS()

haicrypt/cryspr-gnutls.c

@@ -13,6 +13,8 @@
 written by
    Haivision Systems Inc.
 
+   2022-05-19 (jdube)
+        CRYSPR2 adaptation
    2019-06-27 (jdube)
         GnuTLS/Nettle CRYSPR/4SRT (CRYypto Service PRovider for SRT)
 *****************************************************************************/
@@ -24,6 +26,10 @@ written by
 typedef struct tag_crysprGnuTLS_AES_cb {
         CRYSPR_cb       ccb;        /* CRYSPR control block */
         /* Add other cryptolib specific data here */
+#ifdef CRYSPR2
+        CRYSPR_AESCTX   aes_kek_buf;		/* Key Encrypting Key (KEK) */
+        CRYSPR_AESCTX   aes_sek_buf[2];		/* even/odd Stream Encrypting Key (SEK) */
+#endif
 } crysprGnuTLS_cb;
 
 
@@ -33,11 +39,14 @@ int crysprGnuTLS_Prng(unsigned char *rn, int len)
 }
 
 int crysprGnuTLS_AES_SetKey(
+    int cipher_type,            /* One of HCRYPT_CTX_MODE_[CLRTXT|AESECB|AESCTR] */
     bool bEncrypt,              /* true:encrypt key, false:decrypt key*/
     const unsigned char *kstr,  /* key string */
     size_t kstr_len,            /* kstr length in  bytes (16, 24, or 32 bytes (for AES128,AES192, or AES256) */
     CRYSPR_AESCTX *aes_key)     /* Cryptolib Specific AES key context */
 {
+    (void)cipher_type;
+
     if (bEncrypt) {        /* Encrypt key */
         if (!(kstr_len == 16 || kstr_len == 24 || kstr_len == 32)) {
             HCRYPT_LOG(LOG_ERR, "%s", "AES_set_encrypt_key(kek) bad length\n");
@@ -114,6 +123,31 @@ int crysprGnuTLS_AES_CtrCipher( /* AES-CTR128 Encryption */
     return 0;
 }
 
+#ifdef CRYSPR2
+static CRYSPR_cb *crysprGnuTLS_Open(CRYSPR_methods *cryspr, size_t max_len)
+{
+    crysprGnuTLS_cb *aes_data;
+    CRYSPR_cb *cryspr_cb;
+
+    aes_data = (crysprGnuTLS_cb *)crysprHelper_Open(cryspr, sizeof(crysprGnuTLS_cb), max_len);
+    if (NULL == aes_data) {
+        HCRYPT_LOG(LOG_ERR, "crysprHelper_Open(%p, %zd, %zd) failed\n", cryspr, sizeof(crysprGnuTLS_cb), max_len);
+        return(NULL);
+    }
+
+    aes_data->ccb.aes_kek = &aes_data->aes_kek_buf; //key encrypting key
+    aes_data->ccb.aes_sek[0] = &aes_data->aes_sek_buf[0]; //stream encrypting key
+    aes_data->ccb.aes_sek[1] = &aes_data->aes_sek_buf[1]; //stream encrypting key
+
+    return(&aes_data->ccb);
+}
+
+static int crysprGnuTLS_Close(CRYSPR_cb *cryspr_cb)
+{
+    return(crysprHelper_Close(cryspr_cb));
+}
+#endif /* CRYSPR2 */
+
 #ifdef CRYSPR_HAS_PBKDF2
 /*
 * Password-based Key Derivation Function
@@ -157,8 +191,13 @@ CRYSPR_methods *crysprGnuTLS(void)
     #endif
 
     //--Crypto Session (Top API)
+    #ifdef CRYSPR2
+        crysprGnuTLS_methods.open     = crysprGnuTLS_Open;
+        crysprGnuTLS_methods.close    = crysprGnuTLS_Close;
+    #else /* CRYSPR2 */
     //  crysprGnuTLS_methods.open     =
     //  crysprGnuTLS_methods.close    =
+    #endif /* CRYSPR2 */
     //--Keying material (km) encryption
 #if CRYSPR_HAS_PBKDF2
     	crysprGnuTLS_methods.km_pbkdf2  = crysprGnuTLS_KmPbkdf2;

haicrypt/cryspr-mbedtls.c

@@ -13,6 +13,8 @@
 written by
    Haivision Systems Inc.
 
+   2022-05-19 (jdube)
+        CRYSPR2 adaptation
    2019-06-27 (jdube)
         GnuTLS/Nettle CRYSPR/4SRT (CRYypto Service PRovider for SRT)
 *****************************************************************************/
@@ -34,6 +36,10 @@ static mbedtls_md_context_t crysprMbedtls_mdctx;
 typedef struct tag_crysprGnuTLS_AES_cb {
         CRYSPR_cb       ccb;        /* CRYSPR control block */
         /* Add other cryptolib specific data here */
+#ifdef CRYSPR2
+        CRYSPR_AESCTX   aes_kek_buf;		/* Key Encrypting Key (KEK) */
+        CRYSPR_AESCTX   aes_sek_buf[2];		/* even/odd Stream Encrypting Key (SEK) */
+#endif
 } crysprMbedtls_cb;
 
 
@@ -49,18 +55,23 @@ int crysprMbedtls_Prng(unsigned char *rn, int len)
 }
 
 int crysprMbedtls_AES_SetKey(
+        int cipher_type,            /* One of HCRYPT_CTX_MODE_[CLRTXT|AESECB|AESCTR] */
         bool bEncrypt,              /* true:encrypt key, false:decrypt key*/
         const unsigned char *kstr,  /* key string */
         size_t kstr_len,            /* kstr length in  bytes (16, 24, or 32 bytes, for AES128,AES192, or AES256) */
         CRYSPR_AESCTX *aes_key)     /* Cryptolib Specific AES key context */
 {
+    (void)cipher_type;
+
     if (!(kstr_len == 16 || kstr_len == 24 || kstr_len == 32)) {
         HCRYPT_LOG(LOG_ERR, "%s", "AES_set_encrypt_key(kek) bad length\n");
         return -1;
     }
 
     int ret;
-
+#ifdef CRYSPR2
+    (void)cipher_type;
+#endif
     // mbedtls uses the "bits" convention (128, 192, 254), just like openssl.
     // kstr_len is in "bytes" convention (16, 24, 32).
 
@@ -146,6 +157,31 @@ int crysprMbedtls_AES_CtrCipher( /* AES-CTR128 Encryption */
     return 0;
 }
 
+#ifdef CRYSPR2
+static CRYSPR_cb *crysprMbedtls_Open(CRYSPR_methods *cryspr, size_t max_len)
+{
+    crysprMbedtls_cb *aes_data;
+    CRYSPR_cb *cryspr_cb;
+
+    aes_data = (crysprMbedtls_cb *)crysprHelper_Open(cryspr, sizeof(crysprMbedtls_cb), max_len);
+    if (NULL == aes_data) {
+        HCRYPT_LOG(LOG_ERR, "crysprHelper_Open(%p, %zd, %zd) failed\n", cryspr, sizeof(crysprMbedtls_cb), max_len);
+        return(NULL);
+    }
+
+    aes_data->ccb.aes_kek = &aes_data->aes_kek_buf; //key encrypting key
+    aes_data->ccb.aes_sek[0] = &aes_data->aes_sek_buf[0]; //stream encrypting key
+    aes_data->ccb.aes_sek[1] = &aes_data->aes_sek_buf[1]; //stream encrypting key
+
+    return(&aes_data->ccb);
+}
+
+static int crysprMbedtls_Close(CRYSPR_cb *cryspr_cb)
+{
+    return(crysprHelper_Close(cryspr_cb));
+}
+#endif /* CRYSPR2 */
+
 /*
 * Password-based Key Derivation Function
 */
@@ -196,8 +232,13 @@ CRYSPR_methods *crysprMbedtls(void)
 #endif
 
     //--Crypto Session (Top API)
+#ifdef CRYSPR2
+        crysprMbedtls_methods.open     = crysprMbedtls_Open;
+        crysprMbedtls_methods.close    = crysprMbedtls_Close;
+#else
     //  crysprMbedtls_methods.open     =
     //  crysprMbedtls_methods.close    =
+#endif
     //--Keying material (km) encryption
     crysprMbedtls_methods.km_pbkdf2  = crysprMbedtls_KmPbkdf2;
     //	crysprMbedtls_methods.km_setkey  =

haicrypt/cryspr-mbedtls.h

@@ -52,7 +52,7 @@ written by
 /*
 #define CRYSPR_AESCTX to the CRYSPR specifix AES key context object.
 This type reserves room in the CRYPSPR control block for Haicrypt KEK and SEK
-It is set from hte keystring through CRYSPR_methods.aes_set_key and passed
+It is set from the keystring through CRYSPR_methods.aes_set_key and passed
 to CRYSPR_methods.aes_XXX.
 */
 typedef mbedtls_aes_context CRYSPR_AESCTX;   /* CRYpto Service PRovider AES key context */