Add Mbed-TLS crypto backend

Mbed-TLS is a tiny TLS implementation designed for embedded environment which
can greatly reduce the disk space requirement compared to OpenSSL. While we
already have crypto_kernel for this purpose and Mbed-TLS lacking hash/cipher
support can cause reduced functionality, there're situations where AF_ALG is
not available but we're fine with limited scenarios like LUKS2 only.

.gitlab/ci/compilation-clang.gitlab-ci.yml

@@ -39,13 +39,14 @@ test-scan-build-backends:
           "gcrypt",
           "nss",
           "kernel",
-          "nettle"
+          "nettle",
+          "mbedtls"
       ]
   rules:
       - changes:
         - lib/crypto_backend/*
   script:
-    - DEBIAN_FRONTEND=noninteractive apt-get -yq install libgcrypt20-dev libnss3-dev nettle-dev
+    - DEBIAN_FRONTEND=noninteractive apt-get -yq install libgcrypt20-dev libnss3-dev nettle-dev libmbedtls-dev
     - ./autogen.sh
     - echo "Configuring with crypto backend $BACKENDS"
     - scan-build${COMPILER_VERSION:+-$COMPILER_VERSION} -V ./configure CFLAGS="-g -O0" --with-crypto_backend=$BACKENDS

.gitlab/ci/compilation-gcc.gitlab-ci.yml

@@ -39,13 +39,14 @@ test-gcc-fanalyzer-backends:
           "gcrypt",
           "nss",
           "kernel",
-          "nettle"
+          "nettle",
+          "mbedtls"
       ]
   rules:
       - changes:
         - lib/crypto_backend/*
   script:
-    - DEBIAN_FRONTEND=noninteractive apt-get -yq install libgcrypt20-dev libnss3-dev nettle-dev
+    - DEBIAN_FRONTEND=noninteractive apt-get -yq install libgcrypt20-dev libnss3-dev nettle-dev libmbedtls-dev
     - export CFLAGS="-Wall -Werror -g -O0 -fanalyzer -fdiagnostics-path-format=separate-events"
     - ./autogen.sh
     - echo "Configuring with crypto backend $BACKENDS"

configure.ac

@@ -399,6 +399,22 @@ AC_DEFUN([CONFIGURE_NETTLE], [
 	NO_FIPS([])
 ])
 
+AC_DEFUN([CONFIGURE_MBEDTLS], [
+	AC_CHECK_HEADERS(mbedtls/version.h,,
+		[AC_MSG_ERROR([You need mbedTLS cryptographic library.])])
+
+	saved_LIBS=$LIBS
+	AC_CHECK_LIB(mbedcrypto, mbedtls_md_init,,
+		[AC_MSG_ERROR([You need mbedTLS cryptographic library.])])
+	CRYPTO_LIBS=$LIBS
+	LIBS=$saved_LIBS
+
+	CRYPTO_STATIC_LIBS=$CRYPTO_LIBS
+	use_internal_pbkdf2=1
+	use_internal_argon2=1
+	NO_FIPS([])
+])
+
 dnl ==========================================================================
 saved_LIBS=$LIBS
 
@@ -481,7 +497,7 @@ fi
 
 dnl Crypto backend configuration.
 AC_ARG_WITH([crypto_backend],
-	AS_HELP_STRING([--with-crypto_backend=BACKEND], [crypto backend (gcrypt/openssl/nss/kernel/nettle) [openssl]]),
+	AS_HELP_STRING([--with-crypto_backend=BACKEND], [crypto backend (gcrypt/openssl/nss/kernel/nettle/mbedtls) [openssl]]),
 	[], [with_crypto_backend=openssl])
 
 dnl Kernel crypto API backend needed for benchmark and tcrypt
@@ -501,13 +517,15 @@ case $with_crypto_backend in
 	nss)     CONFIGURE_NSS([]) ;;
 	kernel)  CONFIGURE_KERNEL([]) ;;
 	nettle)  CONFIGURE_NETTLE([]) ;;
+	mbedtls) CONFIGURE_MBEDTLS([]) ;;
 	*) AC_MSG_ERROR([Unknown crypto backend.]) ;;
 esac
 AM_CONDITIONAL(CRYPTO_BACKEND_GCRYPT,  test "$with_crypto_backend" = "gcrypt")
 AM_CONDITIONAL(CRYPTO_BACKEND_OPENSSL, test "$with_crypto_backend" = "openssl")
 AM_CONDITIONAL(CRYPTO_BACKEND_NSS,     test "$with_crypto_backend" = "nss")
 AM_CONDITIONAL(CRYPTO_BACKEND_KERNEL,  test "$with_crypto_backend" = "kernel")
 AM_CONDITIONAL(CRYPTO_BACKEND_NETTLE,  test "$with_crypto_backend" = "nettle")
+AM_CONDITIONAL(CRYPTO_BACKEND_MBEDTLS, test "$with_crypto_backend" = "mbedtls")
 
 AM_CONDITIONAL(CRYPTO_INTERNAL_PBKDF2, test $use_internal_pbkdf2 = 1)
 AC_DEFINE_UNQUOTED(USE_INTERNAL_PBKDF2, [$use_internal_pbkdf2], [Use internal PBKDF2])

lib/crypto_backend/Makemodule.am

@@ -31,6 +31,9 @@ endif
 if CRYPTO_BACKEND_NETTLE
 libcrypto_backend_la_SOURCES += lib/crypto_backend/crypto_nettle.c
 endif
+if CRYPTO_BACKEND_MBEDTLS
+libcrypto_backend_la_SOURCES += lib/crypto_backend/crypto_mbedtls.c
+endif
 
 if CRYPTO_INTERNAL_PBKDF2
 libcrypto_backend_la_SOURCES += lib/crypto_backend/pbkdf2_generic.c