Implement Mbed TLS Backend

Co-authored-by: tytan652 <17492366+tytan652@users.noreply.github.com>
Co-authored-by: Paul-Louis Ageneau <paul-louis@ageneau.org>

Author: 3 people

.github/workflows/build-mbedtls.yml

@@ -0,0 +1,37 @@
+name: Build with Mbed TLS
+on:
+  push:
+    branches:
+    - master
+  pull_request:
+jobs:
+  build-linux:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v2
+    - name: Set up Homebrew
+      uses: Homebrew/actions/setup-homebrew@master
+    - name: Install Mbed TLS
+      run: brew update && brew install mbedtls
+    - name: submodules
+      run: git submodule update --init --recursive --depth 1
+    - name: cmake
+      run: cmake -B build -DUSE_MBEDTLS=1 -DWARNINGS_AS_ERRORS=1  -DCMAKE_PREFIX_PATH=$(brew --prefix mbedtls)
+    - name: make
+      run: (cd build; make -j2)
+    - name: test
+      run: ./build/tests
+  build-macos:
+    runs-on: macos-latest
+    steps:
+    - uses: actions/checkout@v2
+    - name: Install Mbed TLS
+      run: brew update && brew install mbedtls
+    - name: submodules
+      run: git submodule update --init --recursive --depth 1
+    - name: cmake
+      run: cmake -B build -DUSE_MBEDTLS=1 -DWARNINGS_AS_ERRORS=1 -DENABLE_LOCAL_ADDRESS_TRANSLATION=1  -DCMAKE_PREFIX_PATH=$(brew --prefix mbedtls)
+    - name: make
+      run: (cd build; make -j2)
+    - name: test
+      run: ./build/tests

CMakeLists.txt

@@ -5,6 +5,7 @@ project(libdatachannel
 set(PROJECT_DESCRIPTION "C/C++ WebRTC network library featuring Data Channels, Media Transport, and WebSockets")
 
 # Options
+option(USE_MBEDTLS "Use Mbed TLS instead of OpenSSL" OFF)
 option(USE_GNUTLS "Use GnuTLS instead of OpenSSL" OFF)
 option(USE_NICE "Use libnice instead of libjuice" OFF)
 option(PREFER_SYSTEM_LIB "Prefer system libraries over deps folder" OFF)
@@ -21,12 +22,22 @@ option(WARNINGS_AS_ERRORS "Treat warnings as errors" OFF)
 option(CAPI_STDCALL "Set calling convention of C API callbacks stdcall" OFF)
 option(SCTP_DEBUG "Enable SCTP debugging output to verbose log" OFF)
 
+if (USE_MBEDTLS AND USE_GNUTLS)
+	message(FATAL_ERROR "Both USE_MBEDTLS and USE_GNUTLS can not be enabled at the same time")
+endif()
+
+
 if(USE_GNUTLS)
 	option(USE_NETTLE "Use Nettle in libjuice" ON)
 else()
 	option(USE_NETTLE "Use Nettle in libjuice" OFF)
+
 	if(NOT USE_SYSTEM_SRTP)
-		option(ENABLE_OPENSSL "Enable OpenSSL crypto engine for SRTP" ON)
+		if (USE_MBEDTLS)
+			option(ENABLE_MBEDTLS "Enable Mbed TLS crypto engine for SRTP" ON)
+		else()
+			option(ENABLE_OPENSSL "Enable OpenSSL crypto engine for SRTP" ON)
+		endif()
 	endif()
 endif()
 
@@ -337,6 +348,13 @@ if (USE_GNUTLS)
 		target_link_libraries(datachannel PRIVATE Nettle::Nettle)
 		target_link_libraries(datachannel-static PRIVATE Nettle::Nettle)
 	endif()
+elseif(USE_MBEDTLS)
+	find_package(MbedTLS 3 REQUIRED)
+
+	target_compile_definitions(datachannel PRIVATE USE_MBEDTLS)
+	target_compile_definitions(datachannel-static PRIVATE USE_MBEDTLS)
+	target_link_libraries(datachannel PRIVATE MbedTLS::MbedTLS)
+	target_link_libraries(datachannel-static PRIVATE MbedTLS::MbedTLS)
 else()
 	if(APPLE)
 		# This is a bug in CMake that causes it to prefer the system version over

cmake/Modules/FindMbedTLS.cmake

@@ -0,0 +1,214 @@
+#[=======================================================================[.rst
+FindMbedTLS
+-----------
+
+FindModule for MbedTLS and associated libraries
+
+Components
+^^^^^^^^^^
+
+This module contains provides several components:
+
+``MbedCrypto``
+``MbedTLS``
+``MbedX509``
+
+Import targets exist for each component.
+
+Imported Targets
+^^^^^^^^^^^^^^^^
+
+This module defines the :prop_tgt:`IMPORTED` targets:
+
+``MbedTLS::MbedCrypto``
+  Crypto component
+
+``MbedTLS::MbedTLS``
+  TLS component
+
+``MbedTLS::MbedX509``
+  X509 component
+
+Result Variables
+^^^^^^^^^^^^^^^^
+
+This module sets the following variables:
+
+``MbedTLS_FOUND``
+  True, if all required components and the core library were found.
+``MbedTLS_VERSION``
+  Detected version of found MbedTLS libraries.
+
+``MbedTLS_<COMPONENT>_VERSION``
+  Detected version of found MbedTLS component library.
+
+Cache variables
+^^^^^^^^^^^^^^^
+
+The following cache variables may also be set:
+
+``MbedTLS_<COMPONENT>_LIBRARY``
+  Path to the library component of MbedTLS.
+``MbedTLS_<COMPONENT>_INCLUDE_DIR``
+  Directory containing ``<COMPONENT>.h``.
+
+Distributed under the MIT License, see accompanying LICENSE file or
+https://github.com/PatTheMav/cmake-finders/blob/master/LICENSE for details.
+(c) 2023 Patrick Heyer
+
+#]=======================================================================]
+
+# cmake-format: off
+# cmake-lint: disable=C0103
+# cmake-lint: disable=C0301
+# cmake-lint: disable=C0307
+# cmake-format: on
+
+include(FindPackageHandleStandardArgs)
+
+find_package(PkgConfig QUIET)
+if(PKG_CONFIG_FOUND)
+  pkg_check_modules(PC_MbedTLS QUIET mbedtls mbedcrypto mbedx509)
+endif()
+
+# MbedTLS_set_soname: Set SONAME on imported library targets
+macro(MbedTLS_set_soname component)
+  if(CMAKE_HOST_SYSTEM_NAME MATCHES "Darwin")
+    execute_process(
+      COMMAND sh -c "otool -D '${Mbed${component}_LIBRARY}' | grep -v '${Mbed${component}_LIBRARY}'"
+      OUTPUT_VARIABLE _output
+      RESULT_VARIABLE _result)
+
+    if(_result EQUAL 0 AND _output MATCHES "^@rpath/")
+      set_property(TARGET MbedTLS::Mbed${component} PROPERTY IMPORTED_SONAME "${_output}")
+    endif()
+  elseif(CMAKE_HOST_SYSTEM_NAME MATCHES "Linux|FreeBSD")
+    execute_process(
+      COMMAND sh -c "objdump -p '${Mbed${component}_LIBRARY}' | grep SONAME"
+      OUTPUT_VARIABLE _output
+      RESULT_VARIABLE _result)
+
+    if(_result EQUAL 0)
+      string(REGEX REPLACE "[ \t]+SONAME[ \t]+([^ \t]+)" "\\1" _soname "${_output}")
+      set_property(TARGET MbedTLS::Mbed${component} PROPERTY IMPORTED_SONAME "${_soname}")
+      unset(_soname)
+    endif()
+  endif()
+  unset(_output)
+  unset(_result)
+endmacro()
+
+find_path(
+  MbedTLS_INCLUDE_DIR
+  NAMES mbedtls/ssl.h
+  HINTS "${PC_MbedTLS_INCLUDE_DIRS}"
+  PATHS /usr/include /usr/local/include
+  DOC "MbedTLS include directory")
+
+if(PC_MbedTLS_VERSION VERSION_GREATER 0)
+  set(MbedTLS_VERSION ${PC_MbedTLS_VERSION})
+elseif(EXISTS "${MbedTLS_INCLUDE_DIR}/mbedtls/build_info.h")
+  file(STRINGS "${MbedTLS_INCLUDE_DIR}/mbedtls/build_info.h" _VERSION_STRING
+       REGEX "#define[ \t]+MBEDTLS_VERSION_STRING[ \t]+.+")
+  string(REGEX REPLACE ".*#define[ \t]+MBEDTLS_VERSION_STRING[ \t]+\"(.+)\".*" "\\1" MbedTLS_VERSION
+                       "${_VERSION_STRING}")
+else()
+  if(NOT MbedTLS_FIND_QUIETLY)
+    message(AUTHOR_WARNING "Failed to find MbedTLS version.")
+  endif()
+  set(MbedTLS_VERSION 0.0.0)
+endif()
+
+find_library(
+  MbedTLS_LIBRARY
+  NAMES libmbedtls mbedtls
+  HINTS "${PC_MbedTLS_LIBRARY_DIRS}"
+  PATHS /usr/lib /usr/local/lib
+  DOC "MbedTLS location")
+
+find_library(
+  MbedCrypto_LIBRARY
+  NAMES libmbedcrypto mbedcrypto
+  HINTS "${PC_MbedTLS_LIBRARY_DIRS}"
+  PATHS /usr/lib /usr/local/lib
+  DOC "MbedCrypto location")
+
+find_library(
+  MbedX509_LIBRARY
+  NAMES libmbedx509 mbedx509
+  HINTS "${PC_MbedTLS_LIBRARY_DIRS}"
+  PATHS /usr/lib /usr/local/lib
+  DOC "MbedX509 location")
+
+if(MbedTLS_LIBRARY
+   AND NOT MbedCrypto_LIBRARY
+   AND NOT MbedX509_LIBRARY)
+  set(CMAKE_REQUIRED_LIBRARIES "${MbedTLS_LIBRARY}")
+  set(CMAKE_REQUIRED_INCLUDES "${MbedTLS_INCLUDE_DIR}")
+
+  check_symbol_exists(mbedtls_x509_crt_init "mbedtls/x590_crt.h" MbedTLS_INCLUDES_X509)
+  check_symbol_exists(mbedtls_sha256_init "mbedtls/sha256.h" MbedTLS_INCLUDES_CRYPTO)
+  unset(CMAKE_REQUIRED_LIBRARIES)
+  unset(CMAKE_REQUIRED_INCLUDES)
+endif()
+
+if(CMAKE_HOST_SYSTEM_NAME MATCHES "Darwin|Windows")
+  set(MbedTLS_ERROR_REASON "Ensure that an MbedTLS distribution is provided as part of CMAKE_PREFIX_PATH.")
+elseif(CMAKE_HOST_SYSTEM_NAME MATCHES "Linux|FreeBSD")
+  set(MbedTLS_ERROR_REASON "Ensure that MbedTLS is installed on the system.")
+endif()
+
+if(MbedTLS_INCLUDES_X509 AND MbedTLS_INCLUDES_CRYPTO)
+  find_package_handle_standard_args(
+    MbedTLS
+    REQUIRED_VARS MbedTLS_LIBRARY MbedTLS_INCLUDE_DIR
+    VERSION_VAR MbedTLS_VERSION REASON_FAILURE_MESSAGE "${MbedTLS_ERROR_REASON}")
+  mark_as_advanced(MbedTLS_LIBRARY MbedTLS_INCLUDE_DIR)
+  list(APPEND _COMPONENTS TLS)
+else()
+  find_package_handle_standard_args(
+    MbedTLS
+    REQUIRED_VARS MbedTLS_LIBRARY MbedCrypto_LIBRARY MbedX509_LIBRARY MbedTLS_INCLUDE_DIR
+    VERSION_VAR MbedTLS_VERSION REASON_FAILURE_MESSAGE "${MbedTLS_ERROR_REASON}")
+  mark_as_advanced(MbedTLS_LIBRARY MbedCrypto_LIBRARY MbedX509_LIBRARY MbedTLS_INCLUDE_DIR)
+  list(APPEND _COMPONENTS TLS Crypto X509)
+endif()
+unset(MbedTLS_ERROR_REASON)
+
+if(MbedTLS_FOUND)
+  foreach(component IN LISTS _COMPONENTS)
+    if(NOT TARGET MbedTLS::Mbed${component})
+      if(IS_ABSOLUTE "${Mbed${component}_LIBRARY}")
+        add_library(MbedTLS::Mbed${component} UNKNOWN IMPORTED)
+        set_property(TARGET MbedTLS::Mbed${component} PROPERTY IMPORTED_LOCATION "${Mbed${component}_LIBRARY}")
+      else()
+        add_library(MbedTLS::Mbed${component} INTERFACE IMPORTED)
+        set_property(TARGET MbedTLS::Mbed${component} PROPERTY IMPORTED_LIBNAME "${Mbed${component}_LIBRARY}")
+      endif()
+
+      mbedtls_set_soname(${component})
+      set_target_properties(
+        MbedTLS::MbedTLS
+        PROPERTIES INTERFACE_COMPILE_OPTIONS "${PC_MbedTLS_CFLAGS_OTHER}"
+                   INTERFACE_INCLUDE_DIRECTORIES "${MbedTLS_INCLUDE_DIR}"
+                   VERSION ${MbedTLS_VERSION})
+    endif()
+  endforeach()
+
+  if(MbedTLS_INCLUDES_X509 AND MbedTLS_INCLUDES_CRYPTO)
+    set(MbedTLS_LIBRARIES ${MbedTLS_LIBRARY})
+    set(MBEDTLS_INCLUDE_DIRS ${MbedTLS_INCLUDE_DIR})
+  else()
+    set(MbedTLS_LIBRARIES ${MbedTLS_LIBRARY} ${MbedCrypto_LIBRARY} ${MbedX509_LIBRARY})
+    set_property(TARGET MbedTLS::MbedTLS PROPERTY INTERFACE_LINK_LIBRARIES MbedTLS::MbedCrypto MbedTLS::MbedX509)
+    set(MBEDTLS_INCLUDE_DIRS ${MbedTLS_INCLUDE_DIR})
+  endif()
+endif()
+
+include(FeatureSummary)
+set_package_properties(
+  MbedTLS PROPERTIES
+  URL "https://www.trustedfirmware.org/projects/mbed-tls"
+  DESCRIPTION
+    "A C library implementing cryptographic primitives, X.509 certificate manipulation, and the SSL/TLS and DTLS protocols."
+)