Implementation of Mbed TLS support

pjsip · Feb 5, 2025 · c5dda2b · c5dda2b
1 parent 3fcce51
commit c5dda2b
Show file tree

Hide file tree

Showing 6 changed files with 1,057 additions and 5 deletions.
diff --git a/aconfigure b/aconfigure
@@ -668,6 +668,8 @@ opencore_amrnb_present
 opencore_amrnb_h_present
 ac_no_opencore_amrwb
 ac_no_opencore_amrnb
+libmbedtls_present
+mbedtls_h_present
 libgnutls_present
 gnutls_h_present
 libcrypto_present
@@ -867,6 +869,7 @@ with_ipp_arch
 enable_android_mediacodec
 with_ssl
 with_gnutls
+with_mbedtls
 enable_darwin_ssl
 enable_ssl
 with_opencore_amrnb
@@ -1625,6 +1628,7 @@ Optional Packages:
                           GnuTLS. To skip OpenSSL finding, use --with-gnutls
                           option instead.
   --with-gnutls=DIR       Specify alternate GnuTLS prefix
+  --with-mbedtls=DIR      Specify alternate MbedTLS prefix
   --with-opencore-amrnb=DIR
                           This option is obsolete and replaced by
                           --with-opencore-amr=DIR
@@ -9683,7 +9687,19 @@ esac
 fi
 
 
-if test "x$ac_cross_compile" != "x" -a "x$with_ssl" = "xno" -a "x$with_gnutls" = "xno"; then
+
+# Check whether --with-mbedtls was given.
+if test ${with_mbedtls+y}
+then :
+  withval=$with_mbedtls;
+else case e in #(
+  e) with_mbedtls=no
+ ;;
+esac
+fi
+
+
+if test "x$ac_cross_compile" != "x" -a "x$with_ssl" = "xno" -a "x$with_gnutls" = "xno" -a "x$with_mbedtls" = "xno"; then
     enable_ssl=no
 fi
 
@@ -9775,7 +9791,7 @@ else case e in #(
 printf "%s\n" "Using SSL prefix... $with_ssl" >&6; }
         fi
 
-        if test "x$with_gnutls" = "xno"; then
+        if test "x$with_gnutls" = "xno" -a "x$with_mbedtls" = "xno"; then
             # We still need to check for OpenSSL installations even if
             # we find Darwin SSL above since DTLS requires OpenSSL.
             { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: checking for OpenSSL installations.." >&5
@@ -10139,6 +10155,100 @@ printf "%s\n" "** No GnuTLS libraries found, disabling SSL support **" >&6; }
 
         fi
 
+        if test "x$ac_ssl_backend" = "x"; then
+            if test "x$with_mbedtls" != "xno" -a "x$with_mbedtls" != "x"; then
+                CFLAGS="$CFLAGS -I$with_mbedtls/include"
+                LDFLAGS="$LDFLAGS -L$with_mbedtls/lib"
+                { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: Using MbedTLS prefix... $with_mbedtls" >&5
+printf "%s\n" "Using MbedTLS prefix... $with_mbedtls" >&6; }
+            fi
+
+            { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: checking for MbedTLS installations.." >&5
+printf "%s\n" "checking for MbedTLS installations.." >&6; }
+
+
+            ac_fn_c_check_header_compile "$LINENO" "mbedtls/version.h" "ac_cv_header_mbedtls_version_h" "$ac_includes_default"
+if test "x$ac_cv_header_mbedtls_version_h" = xyes
+then :
+  mbedtls_h_present=1
+fi
+
+
+            if test "$PKG_CONFIG" != "none"; then
+                if $PKG_CONFIG --exists mbedtls mbedcrypto mbedx509; then
+                    LIBS="$LIBS `$PKG_CONFIG --libs mbedtls mbedcrypto mbedx509`"
+                    libmbedtls_present=1
+                else
+                    { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for mbedtls_version_get_number in -lmbedtls" >&5
+printf %s "checking for mbedtls_version_get_number in -lmbedtls... " >&6; }
+if test ${ac_cv_lib_mbedtls_mbedtls_version_get_number+y}
+then :
+  printf %s "(cached) " >&6
+else case e in #(
+  e) ac_check_lib_save_LIBS=$LIBS
+LIBS="-lmbedtls  $LIBS"
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.
+   The 'extern "C"' is for builds by C++ compilers;
+   although this is not generally supported in C code supporting it here
+   has little cost and some practical benefit (sr 110532).  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char mbedtls_version_get_number (void);
+int
+main (void)
+{
+return mbedtls_version_get_number ();
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"
+then :
+  ac_cv_lib_mbedtls_mbedtls_version_get_number=yes
+else case e in #(
+  e) ac_cv_lib_mbedtls_mbedtls_version_get_number=no ;;
+esac
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.beam \
+    conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS ;;
+esac
+fi
+{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_mbedtls_mbedtls_version_get_number" >&5
+printf "%s\n" "$ac_cv_lib_mbedtls_mbedtls_version_get_number" >&6; }
+if test "x$ac_cv_lib_mbedtls_mbedtls_version_get_number" = xyes
+then :
+
+                        libmbedtls_present=1 && LIBS="$LIBS -lmbedtls"
+fi
+
+                fi
+            else
+                { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: *** Warning: neither pkg-config nor python is available, disabling mbedtls. ***" >&5
+printf "%s\n" "*** Warning: neither pkg-config nor python is available, disabling mbedtls. ***" >&6; }
+            fi
+
+            if test "x$mbedtls_h_present" = "x1" -a "x$libmbedtls_present" = "x1"; then
+                { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: MbedTLS library found, SSL support enabled" >&5
+printf "%s\n" "MbedTLS library found, SSL support enabled" >&6; }
+                printf "%s\n" "#define PJ_HAS_SSL_SOCK 1" >>confdefs.h
+
+                printf "%s\n" "#define PJ_SSL_SOCK_IMP PJ_SSL_SOCK_IMP_MBEDTLS" >>confdefs.h
+
+                ac_ssl_backend="mbedtls"
+            else
+                { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: ** No MbedTLS libraries found, disabling SSL support **" >&5
+printf "%s\n" "** No MbedTLS libraries found, disabling SSL support **" >&6; }
+            fi
+
+        fi
+
  ;;
 esac
 fi

diff --git a/aconfigure.ac b/aconfigure.ac
@@ -2106,8 +2106,15 @@ AC_ARG_WITH(gnutls,
     [with_gnutls=no]
 )
 
+dnl # MbedTLS alt prefix
+AC_ARG_WITH(mbedtls,
+    AS_HELP_STRING([--with-mbedtls=DIR], [Specify alternate MbedTLS prefix]),
+    [],
+    [with_mbedtls=no]
+)
+
 dnl # Do not use default SSL installation if we are cross-compiling
-if test "x$ac_cross_compile" != "x" -a "x$with_ssl" = "xno" -a "x$with_gnutls" = "xno"; then
+if test "x$ac_cross_compile" != "x" -a "x$with_ssl" = "xno" -a "x$with_gnutls" = "xno" -a "x$with_mbedtls" = "xno"; then
     enable_ssl=no
 fi
 
@@ -2174,7 +2181,7 @@ AC_ARG_ENABLE(ssl,
             AC_MSG_RESULT([Using SSL prefix... $with_ssl])
         fi
 
-        if test "x$with_gnutls" = "xno"; then
+        if test "x$with_gnutls" = "xno" -a "x$with_mbedtls" = "xno"; then
             # We still need to check for OpenSSL installations even if
             # we find Darwin SSL above since DTLS requires OpenSSL.
             AC_MSG_RESULT([checking for OpenSSL installations..])
@@ -2264,6 +2271,41 @@ AC_ARG_ENABLE(ssl,
             fi
 
         fi
+
+        if test "x$ac_ssl_backend" = "x"; then
+            if test "x$with_mbedtls" != "xno" -a "x$with_mbedtls" != "x"; then
+                CFLAGS="$CFLAGS -I$with_mbedtls/include"
+                LDFLAGS="$LDFLAGS -L$with_mbedtls/lib"
+                AC_MSG_RESULT([Using MbedTLS prefix... $with_mbedtls])
+            fi
+
+            AC_MSG_RESULT([checking for MbedTLS installations..])
+            AC_SUBST(mbedtls_h_present)
+            AC_SUBST(libmbedtls_present)
+            AC_CHECK_HEADER(mbedtls/version.h, [mbedtls_h_present=1])
+
+            if test "$PKG_CONFIG" != "none"; then
+                if $PKG_CONFIG --exists mbedtls mbedcrypto mbedx509; then
+                    LIBS="$LIBS `$PKG_CONFIG --libs mbedtls mbedcrypto mbedx509`"
+                    libmbedtls_present=1
+                else
+                    AC_CHECK_LIB(mbedtls, mbedtls_version_get_number, [
+                        libmbedtls_present=1 && LIBS="$LIBS -lmbedtls"])
+                fi
+            else
+                AC_MSG_RESULT([*** Warning: neither pkg-config nor python is available, disabling mbedtls. ***])
+            fi
+
+            if test "x$mbedtls_h_present" = "x1" -a "x$libmbedtls_present" = "x1"; then
+                AC_MSG_RESULT([MbedTLS library found, SSL support enabled])
+                AC_DEFINE(PJ_HAS_SSL_SOCK, 1)
+                AC_DEFINE(PJ_SSL_SOCK_IMP, PJ_SSL_SOCK_IMP_MBEDTLS)
+                ac_ssl_backend="mbedtls"
+            else
+                AC_MSG_RESULT([** No MbedTLS libraries found, disabling SSL support **])
+            fi
+
+        fi
     ]
 )
 

diff --git a/pjlib/build/Makefile b/pjlib/build/Makefile
@@ -36,7 +36,7 @@ export PJLIB_OBJS += $(OS_OBJS) $(M_OBJS) $(CC_OBJS) $(HOST_OBJS) \
 	os_time_common.o os_info.o pool.o pool_buf.o pool_caching.o pool_dbg.o \
 	rand.o rbtree.o sock_common.o sock_qos_common.o \
 	ssl_sock_common.o ssl_sock_ossl.o ssl_sock_gtls.o ssl_sock_dump.o \
-	ssl_sock_darwin.o string.o timer.o types.o unittest.o
+	ssl_sock_darwin.o ssl_sock_mbedtls.o string.o timer.o types.o unittest.o
 export PJLIB_CFLAGS += $(_CFLAGS)
 export PJLIB_CXXFLAGS += $(_CXXFLAGS)
 export PJLIB_LDFLAGS += $(_LDFLAGS)

diff --git a/pjlib/include/pj/config.h b/pjlib/include/pj/config.h
@@ -1117,6 +1117,9 @@
 /** Using Windows's Schannel */
 #define PJ_SSL_SOCK_IMP_SCHANNEL    5
 
+/** Using Mbed TLS */
+#define PJ_SSL_SOCK_IMP_MBEDTLS     6
+
 /**
  * Select which SSL socket implementation to use. Currently pjlib supports
  * PJ_SSL_SOCK_IMP_OPENSSL, which uses OpenSSL, and PJ_SSL_SOCK_IMP_GNUTLS,