Add mbedTLS support

CMakeLists.txt

@@ -213,11 +213,20 @@ endif()
 # put all binaries into one directory (even from subprojects)
 set(CMAKE_RUNTIME_OUTPUT_DIRECTORY ${PROJECT_BINARY_DIR})
 
-# dependencies - OpenSSL (required by later libnetconf2 checks and not really the server itself)
-find_package(OpenSSL 3.0.0)
-if(OPENSSL_FOUND)
-    list(APPEND CMAKE_REQUIRED_INCLUDES ${OPENSSL_INCLUDE_DIR})
-    list(APPEND CMAKE_REQUIRED_LIBRARIES ${OPENSSL_LIBRARIES})
+# dependencies - SSL library (required by later libnetconf2 checks and not really the server itself)
+find_package(MbedTLS 3.5.0)
+if (MBEDTLS_FOUND)
+    # dependencies - mbedtls
+    set(HAVE_MBEDTLS TRUE)
+    list(APPEND CMAKE_REQUIRED_INCLUDES ${MBEDTLS_INCLUDE_DIRS})
+    list(APPEND CMAKE_REQUIRED_LIBRARIES ${MBEDTLS_LIBRARIES})
+else()
+    # dependencies - OpenSSL
+    find_package(OpenSSL 3.0.0)
+    if(OPENSSL_FOUND)
+        list(APPEND CMAKE_REQUIRED_INCLUDES ${OPENSSL_INCLUDE_DIR})
+        list(APPEND CMAKE_REQUIRED_LIBRARIES ${OPENSSL_LIBRARIES})
+    endif()
 endif()
 
 # dependencies - libssh (also required by libnetconf2 checks)

CMakeModules/FindMbedTLS.cmake

@@ -0,0 +1,110 @@
+# - Try to find MbedTLS
+# Once done this will define
+#
+#  MBEDTLS_FOUND - MbedTLS was found
+#  MBEDTLS_INCLUDE_DIRS - MbedTLS include directories
+#  MBEDTLS_LIBRARIES - link these to use MbedTLS
+#  MBEDTLS_VERSION - version of MbedTLS
+#
+#  Author Roman Janota <[email protected]>
+#  Copyright (c) 2025 CESNET, z.s.p.o.
+#
+#  Redistribution and use in source and binary forms, with or without
+#  modification, are permitted provided that the following conditions
+#  are met:
+#
+#  1. Redistributions of source code must retain the copyright
+#     notice, this list of conditions and the following disclaimer.
+#  2. Redistributions in binary form must reproduce the copyright
+#     notice, this list of conditions and the following disclaimer in the
+#     documentation and/or other materials provided with the distribution.
+#  3. The name of the author may not be used to endorse or promote products
+#     derived from this software without specific prior written permission.
+#
+#  THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+#  IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+#  OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+#  IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+#  INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+#  NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+#  DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+#  THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+#  (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+#  THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+#
+include(FindPackageHandleStandardArgs)
+
+if(MBEDTLS_LIBRARIES AND MBEDTLS_INCLUDE_DIRS)
+    # in cache already
+    set(MBEDTLS_FOUND TRUE)
+else()
+    find_path(MBEDTLS_INCLUDE_DIR
+        NAMES
+            mbedtls/ssl.h
+        PATHS
+            /opt/local/include
+            /sw/include
+            ${CMAKE_INCLUDE_PATH}
+            ${CMAKE_INSTALL_PREFIX}/include
+    )
+
+    find_library(MBEDTLS_LIBRARY
+        NAMES
+            libmbedtls.so
+        PATHS
+            /usr/lib
+            /usr/lib64
+            /opt/local/lib
+            /sw/lib
+            ${CMAKE_LIBRARY_PATH}
+            ${CMAKE_INSTALL_PREFIX}/lib
+    )
+
+    find_library(MBEDX509_LIBRARY
+        NAMES
+            libmbedx509.so
+        PATHS
+            /usr/lib
+            /usr/lib64
+            /opt/local/lib
+            /sw/lib
+            ${CMAKE_LIBRARY_PATH}
+            ${CMAKE_INSTALL_PREFIX}/lib
+    )
+
+    find_library(MBEDCRYPTO_LIBRARY
+        NAMES
+            libmbedcrypto.so
+        PATHS
+            /usr/lib
+            /usr/lib64
+            /opt/local/lib
+            /sw/lib
+            ${CMAKE_LIBRARY_PATH}
+            ${CMAKE_INSTALL_PREFIX}/lib
+    )
+
+    if(MBEDTLS_INCLUDE_DIR AND MBEDTLS_LIBRARY AND MBEDX509_LIBRARY AND MBEDCRYPTO_LIBRARY)
+        # learn MbedTLS version
+        if(EXISTS "${MBEDTLS_INCLUDE_DIR}/mbedtls/build_info.h")
+            file(STRINGS "${MBEDTLS_INCLUDE_DIR}/mbedtls/build_info.h" MBEDTLS_VERSION
+                REGEX "#define[ \t]+MBEDTLS_VERSION_STRING[ \t]+\"([0-9]+\.[0-9]+\.[0-9]+)\"")
+            string(REGEX MATCH "[0-9]+\\.[0-9]+\\.[0-9]+" MBEDTLS_VERSION ${MBEDTLS_VERSION})
+        endif()
+        if(NOT MBEDTLS_VERSION)
+            message(STATUS "MBEDTLS_VERSION not found, assuming MbedTLS is too old and cannot be used!")
+            set(MBEDTLS_INCLUDE_DIR "MBEDTLS_INCLUDE_DIR-NOTFOUND")
+            set(MBEDTLS_LIBRARY "MBEDTLS_LIBRARY-NOTFOUND")
+        endif()
+    endif()
+
+    set(MBEDTLS_INCLUDE_DIRS ${MBEDTLS_INCLUDE_DIR})
+    set(MBEDTLS_LIBRARIES ${MBEDTLS_LIBRARY} ${MBEDX509_LIBRARY} ${MBEDCRYPTO_LIBRARY})
+
+    find_package_handle_standard_args(MbedTLS FOUND_VAR MBEDTLS_FOUND
+        REQUIRED_VARS MBEDTLS_INCLUDE_DIRS MBEDTLS_LIBRARIES
+        VERSION_VAR MBEDTLS_VERSION)
+
+    # show the MBEDTLS_INCLUDE_DIR and MBEDTLS_LIBRARIES variables only in the advanced view
+    mark_as_advanced(MBEDTLS_INCLUDE_DIRS MBEDTLS_LIBRARIES)
+endif()

cli/CMakeLists.txt

@@ -41,12 +41,18 @@ if(LIBNETCONF2_ENABLED_SSH_TLS)
     target_link_libraries(netopeer2-cli ${LIBSSH_LIBRARIES})
     include_directories(${LIBSSH_INCLUDE_DIRS})
 
-    # - openssl
-    if(NOT OPENSSL_FOUND)
-        message(FATAL_ERROR "libnetconf2 supports TLS but OpenSSL was not found, CLI compilation failed!")
+    # - SSL library
+    if (MBEDTLS_FOUND)
+        # - MbedTLS (has priority over OpenSSL)
+        target_link_libraries(netopeer2-cli ${MBEDTLS_LIBRARIES})
+        include_directories(${MBEDTLS_INCLUDE_DIRS})
+    elseif(OPENSSL_FOUND)
+        # - OpenSSL
+        target_link_libraries(netopeer2-cli ${OPENSSL_LIBRARIES})
+        include_directories(${OPENSSL_INCLUDE_DIR})
+    else()
+        message(FATAL_ERROR "libnetconf2 supports TLS but neither MbedTLS nor OpenSSL were found, CLI compilation failed!")
     endif()
-    target_link_libraries(netopeer2-cli ${OPENSSL_LIBRARIES})
-    include_directories(${OPENSSL_INCLUDE_DIR})
 endif()
 
 # compat checks

cli/cli_config.h.in

@@ -18,3 +18,8 @@
 #define CLI_VERSION "@NP2CLI_VERSION@"
 
 #define NC_CLI_PROMPT "@CLI_PROMPT@ "
+
+/**
+ * @brief Whether mbedTLS is used for TLS support.
+ */
+#cmakedefine HAVE_MBEDTLS