Merge pull request #164 from Faless/feat/mbedtls

[TLS] Move from OpenSSL to mbedTLS

Author: Faless

.github/workflows/build_release.yml

@@ -193,6 +193,7 @@ jobs:
           fi
           tar -xjf ${{ matrix.buildroot }}.tar.bz2
           ${{ matrix.buildroot }}/relocate-sdk.sh
+          rm ${{ matrix.buildroot }}/bin/cmake
           echo "$GITHUB_WORKSPACE/${{ matrix.buildroot }}/bin" >> $GITHUB_PATH
           echo "PKG_CONFIG=$GITHUB_WORKSPACE/${{ matrix.buildroot }}/share/pkgconfig/" >> $GITHUB_ENV
           patch -p1 < misc/patches/scons_path.diff
@@ -252,11 +253,10 @@ jobs:
         run: |
           cp LICENSE artifacts/LICENSE.webrtc-native
           cp thirdparty/libdatachannel/LICENSE artifacts/LICENSE.libdatachannel
-          cp thirdparty/openssl/LICENSE.txt artifacts/LICENSE.openssl
+          cp thirdparty/mbedtls/LICENSE artifacts/LICENSE.mbedtls
           cp thirdparty/libdatachannel/deps/libjuice/LICENSE artifacts/LICENSE.libjuice
           cp thirdparty/libdatachannel/deps/usrsctp/LICENSE.md artifacts/LICENSE.usrsctp
           cp thirdparty/libdatachannel/deps/libsrtp/LICENSE artifacts/LICENSE.libsrtp
-          cp thirdparty/libdatachannel/deps/json/LICENSE.MIT artifacts/LICENSE.json
           cp thirdparty/libdatachannel/deps/plog/LICENSE artifacts/LICENSE.plog
 
       - name: Package artifacts for release

.gitmodules

@@ -7,6 +7,6 @@
 [submodule "libdatachannel"]
 	path = thirdparty/libdatachannel
 	url = https://github.com/paullouisageneau/libdatachannel.git
-[submodule "openssl"]
-	path = thirdparty/openssl
-	url = https://github.com/openssl/openssl.git
+[submodule "mbedtls"]
+	path = thirdparty/mbedtls
+	url = https://github.com/Mbed-TLS/mbedtls.git

README.md

@@ -7,7 +7,7 @@
 
 ### Compiling
 
-Clone this repository with the following command to checkout all the dependencies: [godot-cpp](https://github.com/godotengine/godot-cpp), [openssl](https://www.openssl.org/) and [libdatachannel](https://github.com/paullouisageneau/libdatachannel) (and sub-dependencies).
+Clone this repository with the following command to checkout all the dependencies: [godot-cpp](https://github.com/godotengine/godot-cpp), [mbedTLS](https://github.com/Mbed-TLS/mbedtls) and [libdatachannel](https://github.com/paullouisageneau/libdatachannel) (and sub-dependencies).
 
 ```
 $ git clone --recurse-submodules https://github.com/godotengine/webrtc-native.git

SConstruct

@@ -183,18 +183,21 @@ else:
     sources.append("src/init_gdextension.cpp")
 
 # Add our build tools
-for tool in ["openssl", "cmake", "rtc"]:
+for tool in ["cmake", "mbedtls", "rtc"]:
     env.Tool(tool, toolpath=["tools"])
 
-ssl = env.OpenSSL()
+# Make sure Substfile is also loaded
+env.Tool("textfile")
 
-rtc = env.BuildLibDataChannel(ssl)
+mbedtls = env.BuildMbedTLS()
+
+rtc = env.BuildLibDataChannel(mbedtls)
 
 # Forces building our sources after OpenSSL and libdatachannel.
 # This is because OpenSSL headers are generated by their build system and SCons doesn't know about them.
 # Note: This might not be necessary in this specific case since our sources doesn't include OpenSSL headers directly,
 # but it's better to be safe in case of indirect inclusions by one of our other dependencies.
-env.Depends(sources, ssl + rtc)
+env.Depends(sources, rtc + mbedtls)
 
 # We want to statically link against libstdc++ on Linux to maximize compatibility, but we must restrict the exported
 # symbols using a GCC version script, or we might end up overriding symbols from other libraries.

thirdparty/README.md

@@ -5,21 +5,10 @@ respective folder names. Use two empty lines to separate categories for
 readability.
 
 
-## json
-
-- Upstream: https://github.com/nlohmann/json
-- Version: 3.11.3 (9cca280a4d0ccf0c08f47a99aa71d1b0e52f8d03, 2023)
-- License: MIT
-
-Module location:
-
-- thirdparty/libdatachannel/deps/json
-
-
 ## libdatachannel
 
 - Upstream: https://github.com/paullouisageneau/libdatachannel
-- Version: 0.22.3 (d74748fd46f75cee5090d187841c6921820eb9d0, 2024)
+- Version: 0.22.6 (0d6adc021953d7263fd4503482ea7bde33553724, 2025)
 - License: MPL 2.0
 
 Module location:
@@ -30,7 +19,7 @@ Module location:
 # libjuice
 
 - Upstream: https://github.com/paullouisageneau/libjuice
-- Version: 1.5.7 (70ba50cce33350b64404557ea63658e925758ce6, 2024)
+- Version: 1.5.9 (8d1a99a0683a811876c03a73ff764a92774027ad, 2025)
 - License: MPL 2.0
 
 Module location:
@@ -49,15 +38,15 @@ Module location:
 - thirdparty/libdatachannel/deps/libsrtp
 
 
-## openssl
+## mbedTLS
 
-- Upstream: git://git.openssl.org/openssl.git
-- Version: 3.4.0 (98acb6b02839c609ef5b837794e08d906d965335, 2024)
+- Upstream: https://github.com/Mbed-TLS/mbedtls.git
+- Version: 3.6.3 (22098d41c6620ce07cf8a0134d37302355e1e5ef, 2025)
 - License: Apache 2.0
 
 Module location:
 
-- thirdparty/openssl
+- thirdparty/mbedtls
 
 
 ## plog

thirdparty/libdatachannel

@@ -1,8 +1,10 @@
-import os, sys
+import os
+import shlex
+import sys
 
-import SCons.Util
-import SCons.Builder
 import SCons.Action
+import SCons.Builder
+import SCons.Util
 
 
 # This must be kept in sync with the value in https://github.com/godotengine/godot/blob/master/platform/android/detect.py#L58.
@@ -12,7 +14,7 @@ def get_ndk_version():
 
 def cmake_default_flags(env):
     if env.get("cmake_default_flags", ""):
-        return SCons.Util.CLVar(env["cmake_default_flags"])
+        return shlex.split(env["cmake_default_flags"])
 
     config = {}
 
@@ -79,18 +81,17 @@ def cmake_default_flags(env):
 
     elif env["platform"] == "windows":
         config["CMAKE_SYSTEM_NAME"] = "Windows"
-
-    flags = ["-D%s=%s" % it for it in config.items()]
-    if env["CMAKEGENERATOR"]:
-        flags.extend(["-G", env["CMAKEGENERATOR"]])
-    elif env["platform"] == "windows":
         if env.get("is_msvc", False):
-            flags.extend(["-G", "NMake Makefiles"])
-        elif sys.platform in ["win32", "msys", "cygwin"]:
-            flags.extend(["-G", "Ninja"])
-        else:
-            flags.extend(["-G", "Unix Makefiles"])
-    return flags
+            config["CMAKE_POLICY_DEFAULT_CMP0091"] = "NEW"
+            if env.get("debug_crt", False):
+                config["CMAKE_MSVC_RUNTIME_LIBRARY"] = "MultiThreadedDebugDLL"
+            else:
+                if env.get("use_static_cpp", False):
+                    config["CMAKE_MSVC_RUNTIME_LIBRARY"] = "MultiThreaded"
+                else:
+                    config["CMAKE_MSVC_RUNTIME_LIBRARY"] = "MultiThreadedDLL"
+
+    return ["-D%s=%s" % it for it in config.items()]
 
 
 def cmake_emitter(target, source, env):
@@ -100,41 +101,77 @@ def cmake_emitter(target, source, env):
 def cmake_generator(target, source, env, for_signature):
     # Strip the -j option for signature to avoid rebuilding when num_jobs changes.
     build = env["CMAKEBUILDCOM"].replace("-j$CMAKEBUILDJOBS", "") if for_signature else env["CMAKEBUILDCOM"]
-    return [
+    actions = [
         SCons.Action.Action("$CMAKECONFCOM", "$CMAKECONFCOMSTR"),
         SCons.Action.Action(build, "$CMAKEBUILDCOMSTR"),
     ]
+    if env["CMAKE_INSTALL"]:
+        actions.append(
+            SCons.Action.Action("$CMAKEINSTALLCOM", "$CMAKEINSTALLCOMSTR"),
+        )
+    return actions
 
 
-def cmake_build(env, target_dir, source_dir, cmake_outputs=[], cmake_targets=[], cmake_options=[], dependencies=[]):
+def cmake_build(
+    env, target_dir, source_dir, cmake_outputs=[], cmake_targets=[], cmake_options=[], dependencies=[], install=False
+):
     cmake_env = env.Clone()
     target = env.Dir("{}/{}/{}".format(target_dir, env["platform"], env["arch"]))
     source = env.Dir(source_dir)
     builder_targets = [target] + [str(target) + "/" + f for f in cmake_outputs]
     builder_sources = [source] + dependencies
-    cmake_env.Append(CMAKECONFFLAGS=["-D%s=%s" % it for it in cmake_options.items()])
+    default_flags = cmake_default_flags(env)
+
+    # Merge flags
+    flags = []
+    for df in default_flags:
+        if not df.startswith("-D"):
+            flags.append(df)
+        else:
+            f = df[2:].split("=")[0]
+            if f in cmake_options:
+                df += " " + cmake_options[f]
+                cmake_options.pop(f)
+            flags.append(df)
+    for opt in cmake_options:
+        flags.append("-D%s=%s" % (opt, cmake_options[opt]))
+
+    # Select generator
+    if env["cmake_generator"]:
+        flags.extend(["-G", env["cmake_generator"]])
+    elif env["platform"] == "windows":
+        if env.get("is_msvc", False):
+            flags.extend(["-G", "NMake Makefiles"])
+        elif sys.platform in ["win32", "msys", "cygwin"]:
+            flags.extend(["-G", "Ninja"])
+        else:
+            flags.extend(["-G", "Unix Makefiles"])
+
+    cmake_env.Append(CMAKECONFFLAGS=flags)
     if len(cmake_targets) > 0:
         cmake_env.Append(CMAKEBUILDFLAGS=["-t"] + [t for t in cmake_targets])
+    cmake_env["CMAKE_INSTALL"] = install
     return cmake_env.CMake(builder_targets, builder_sources)
 
 
 def options(opts):
     opts.Add("cmake_default_flags", "Default CMake platform flags override, will be autodetected if not specified.", "")
+    opts.Add("cmake_generator", "CMake generator override, will be autodetected from platform if not specified.", "")
+    opts.Add("cmake", "CMake binary to use", "cmake")
 
 
 def exists(env):
     return True
 
 
 def generate(env):
-    env["CMAKE"] = "cmake"
-    env["_cmake_default_flags"] = cmake_default_flags
-    env["CMAKEDEFAULTFLAGS"] = "${_cmake_default_flags(__env__)}"
-    env["CMAKEGENERATOR"] = ""
+    env["CMAKE"] = env["cmake"]
     env["CMAKECONFFLAGS"] = SCons.Util.CLVar("")
-    env["CMAKECONFCOM"] = "$CMAKE -B ${TARGET.dir} $CMAKEDEFAULTFLAGS $CMAKECONFFLAGS ${SOURCE.dir}"
+    env["CMAKECONFCOM"] = "$CMAKE -B ${TARGET.dir} $CMAKECONFFLAGS ${SOURCE.dir}"
     env["CMAKEBUILDJOBS"] = "${__env__.GetOption('num_jobs')}"
     env["CMAKEBUILDFLAGS"] = SCons.Util.CLVar("")
+    env["CMAKEINSTALLFLAGS"] = SCons.Util.CLVar("")
     env["CMAKEBUILDCOM"] = "$CMAKE --build ${TARGET.dir} $CMAKEBUILDFLAGS -j$CMAKEBUILDJOBS"
+    env["CMAKEINSTALLCOM"] = "$CMAKE --install ${TARGET.dir} $CMAKEINSTALLFLAGS"
     env["BUILDERS"]["CMake"] = SCons.Builder.Builder(generator=cmake_generator, emitter=cmake_emitter)
     env.AddMethod(cmake_build, "CMakeBuild")

thirdparty/mbedtls

@@ -0,0 +1,67 @@
+def build_library(env):
+    mbedtls_bin = env.Dir("bin/thirdparty/mbedtls/{}/{}/install".format(env["platform"], env["arch"]))
+    is_msvc = env.get("is_msvc", False)
+    c_flags = "-DMBEDTLS_SSL_DTLS_SRTP"
+    if env["platform"] == "linux":
+        # This is needed on some arch when building with the godot buildroot toolchain
+        c_flags += " -fPIC"
+    elif env["platform"] == "windows" and not is_msvc:
+        c_flags += " -D__USE_MINGW_ANSI_STDIO=0"  # See https://github.com/Mbed-TLS/mbedtls/issues/10161
+
+    mbedtls_config = {
+        "CMAKE_BUILD_TYPE": "RelWithDebInfo" if env["debug_symbols"] else "Release",
+        "ENABLE_TESTING": 0,
+        "ENABLE_PROGRAMS": 0,
+        "CMAKE_INSTALL_PREFIX": env.Dir(mbedtls_bin).abspath,
+        "CMAKE_C_FLAGS": c_flags,
+    }
+    lib_ext = ".lib" if is_msvc else ".a"
+    lib_prefix = "" if is_msvc else "lib"
+    mbedtls_libs = [
+        "/install/lib/{}mbedtls{}".format(lib_prefix, lib_ext),
+        "/install/lib/{}mbedx509{}".format(lib_prefix, lib_ext),
+        "/install/lib/{}mbedcrypto{}".format(lib_prefix, lib_ext),
+    ]
+
+    mbedtls_cmake_config = [
+        "/install/lib/cmake/MbedTLS/MbedTLSConfig.cmake",
+        "/install/lib/cmake/MbedTLS/MbedTLSConfigVersion.cmake",
+        "/install/lib/cmake/MbedTLS/MbedTLSTargets.cmake",
+    ]
+
+    # Build libdatachannel
+    mbedtls = env.CMakeBuild(
+        env.Dir("bin/thirdparty/mbedtls/"),
+        env.Dir("thirdparty/mbedtls"),
+        cmake_options=mbedtls_config,
+        cmake_outputs=mbedtls_libs + mbedtls_cmake_config,
+        install=True,
+    )
+
+    # Configure env.
+    if env["platform"] == "windows":
+        env.PrependUnique(LIBS=["bcrypt", "ws2_32", "iphlpapi"])
+    if env["platform"] == "linux":
+        env.PrependUnique(LIBS=["pthread"])
+    env.Prepend(LIBS=list(filter(lambda f: str(f).endswith(lib_ext), mbedtls)))
+    env.Append(CPPPATH=[env.Dir("thirdparty/mbedtls/include")])
+
+    return mbedtls
+
+
+def exists(env):
+    return "CMake" in env
+
+
+def generate(env):
+    mbedtls_install_dir = "bin/thirdparty/mbedtls/{}/{}/install".format(env["platform"], env["arch"])
+    lib_ext = ".lib" if env.get("is_msvc", False) else ".a"
+    mbedtls = env.File(mbedtls_install_dir + "/lib/libmbedtls" + lib_ext)
+    crypto = env.File(mbedtls_install_dir + "/lib/libmbedcrypto" + lib_ext)
+    x509 = env.File(mbedtls_install_dir + "/lib/libmbedx509" + lib_ext)
+    includes = env.Dir("thirdparty/mbedtls/include")
+    env.AddMethod(build_library, "BuildMbedTLS")
+    env["MBEDTLS_LIBRARY"] = mbedtls.abspath
+    env["MBEDTLS_CRYPTO_LIBRARY"] = crypto.abspath
+    env["MBEDTLS_X509_LIBRARY"] = x509.abspath
+    env["MBEDTLS_INCLUDE"] = includes.abspath