pw_crypto: Add Bazel mbedtls backend

Also make this backend the default one, in view of the upcoming
deprecation of boringssl (b/275567694).

Bug: b/274522064

Change-Id: Ice73272727b3993c37116c6feaf2c8f5484973f8
Reviewed-on: https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/137739
Pigweed-Auto-Submit: Ted Pudlik <tpudlik@google.com>
Reviewed-by: Ali Zhang <alizhang@google.com>
Commit-Queue: Auto-Submit <auto-submit@pigweed.google.com.iam.gserviceaccount.com>

.bazelrc

@@ -52,6 +52,8 @@ build --cxxopt="-Wno-register"
 # TODO(pwbug/437): Remove this once pwbug/437 is completely resolved.
 build --action_env=PATH
 
+build --@mbedtls//:mbedtls_config=//third_party/mbedtls:default_config
+
 # Define the --config=asan-libfuzzer configuration.
 build:asan-libfuzzer \
     --@rules_fuzzing//fuzzing:cc_engine=@rules_fuzzing//fuzzing/engines:libfuzzer

WORKSPACE

@@ -396,6 +396,15 @@ git_repository(
     shallow_since = "1637714942 +0000",
 )
 
+git_repository(
+    name = "mbedtls",
+    build_file = "//:third_party/mbedtls/BUILD.mbedtls",
+    # mbedtls-3.2.1 released 2022-07-12
+    commit = "869298bffeea13b205343361b7a7daf2b210e33d",
+    remote = "https://pigweed.googlesource.com/third_party/github/ARMmbed/mbedtls",
+    shallow_since = "1648504566 -0700",
+)
+
 http_archive(
     name = "freertos",
     build_file = "//:third_party/freertos/BUILD.bazel",

pw_crypto/BUILD.bazel

@@ -46,6 +46,29 @@ pw_cc_library(
     ],
 )
 
+constraint_setting(
+    name = "sha256_backend_constraint_setting",
+)
+
+constraint_value(
+    name = "sha256_boringssl_backend",
+    constraint_setting = ":sha256_backend_constraint_setting",
+)
+
+constraint_value(
+    name = "sha256_mbedtls_backend",
+    constraint_setting = ":sha256_backend_constraint_setting",
+)
+
+alias(
+    name = "sha256_backend_multiplexer",
+    actual = select({
+        ":sha256_boringssl_backend": ":sha256_boringssl",
+        ":sha256_mbedtls_backend": ":sha256_mbedtls",
+        "//conditions:default": ":sha256_mbedtls",
+    }),
+)
+
 pw_cc_library(
     name = "sha256_mbedtls",
     srcs = ["sha256_mbedtls.cc"],
@@ -54,9 +77,11 @@ pw_cc_library(
         "public_overrides/mbedtls/pw_crypto/sha256_backend.h",
     ],
     includes = ["public_overrides/mbedtls"],
-    # TODO(b/236321905): Requires BUILD.bazel files for mbedtls
     tags = ["manual"],
-    deps = [":sha256_facade"],
+    deps = [
+        ":sha256_facade",
+        "@mbedtls",
+    ],
 )
 
 pw_cc_library(
@@ -131,12 +156,44 @@ pw_cc_library(
     ],
 )
 
+constraint_setting(
+    name = "ecdsa_backend_constraint_setting",
+)
+
+constraint_value(
+    name = "ecdsa_boringssl_backend",
+    constraint_setting = ":ecdsa_backend_constraint_setting",
+)
+
+constraint_value(
+    name = "ecdsa_mbedtls_backend",
+    constraint_setting = ":ecdsa_backend_constraint_setting",
+)
+
+constraint_value(
+    name = "ecdsa_uecc_backend",
+    constraint_setting = ":ecdsa_backend_constraint_setting",
+)
+
+alias(
+    name = "ecdsa_backend_multiplexer",
+    actual = select({
+        ":ecdsa_boringssl_backend": ":ecdsa_boringssl",
+        ":ecdsa_mbedtls_backend": ":ecdsa_mbedtls",
+        ":ecdsa_uecc_backend": ":ecdsa_uecc",
+        "//conditions:default": ":ecdsa_mbedtls",
+    }),
+)
+
 pw_cc_library(
     name = "ecdsa_mbedtls",
     srcs = ["ecdsa_mbedtls.cc"],
-    # TODO(b/236321905): Requires BUILD.bazel files for mbedtls
-    tags = ["manual"],
-    deps = [":ecdsa_facade"],
+    deps = [
+        ":ecdsa_facade",
+        "//pw_function",
+        "//pw_log",
+        "@mbedtls",
+    ],
 )
 
 pw_cc_library(

pw_crypto/docs.rst

@@ -101,7 +101,7 @@ The small code footprint makes the project suitable and popular for embedded
 systems.
 
 To select the Mbed TLS backend, the MbedTLS library needs to be installed and
-configured.
+configured. If using GN, do,
 
 .. code-block:: sh
 
@@ -117,6 +117,21 @@ configured.
 
   ninja -C out
 
+If using Bazel, add the Mbed TLS repository to your WORKSPACE and select
+appropriate backends by adding them to your project's `platform
+<https://bazel.build/extending/platforms>`_:
+
+.. code-block:: python
+
+  platform(
+    name = "my_platform",
+     constraint_values = [
+       "@pigweed//pw_crypto:sha256_mbedtls_backend",
+       "@pigweed//pw_crypto:ecdsa_mbedtls_backend",
+       # ... other constraint_values
+     ],
+  )
+
 For optimal code size and/or performance, the Mbed TLS library can be configured
 per product. Mbed TLS configuration is achieved by turning on and off MBEDTLS_*
 options in a config.h file. See //third_party/mbedtls for how this is done.
@@ -149,7 +164,7 @@ BoringSSL
 ^^^^^^^^^
 
 To select the BoringSSL backend, the BoringSSL library needs to be installed and
-configured.
+configured. If using GN, do,
 
 .. code-block:: sh
 
@@ -165,6 +180,21 @@ configured.
 
   ninja -C out
 
+If using Bazel, add the BoringSSL repository to your WORKSPACE and select
+appropriate backends by adding them to your project's `platform
+<https://bazel.build/extending/platforms>`_:
+
+.. code-block:: python
+
+  platform(
+    name = "my_platform",
+     constraint_values = [
+       "@pigweed//pw_crypto:sha256_boringssl_backend",
+       "@pigweed//pw_crypto:ecdsa_boringssl_backend",
+       # ... other constraint_values
+     ],
+  )
+
 BoringSSL does not provide a public configuration interface to reduce the code
 size.
 

targets/default_config.BUILD

@@ -14,16 +14,14 @@
 
 package(default_visibility = ["//visibility:public"])
 
-# TODO(b/236321905): Support backends other than boringSSL.
 label_flag(
     name = "pw_crypto_sha256_backend",
-    build_setting_default = "@pigweed//pw_crypto:sha256_boringssl",
+    build_setting_default = "@pigweed//pw_crypto:sha256_backend_multiplexer",
 )
 
-# TODO(b/236321905): Support backends other than boringSSL.
 label_flag(
     name = "pw_crypto_ecdsa_backend",
-    build_setting_default = "@pigweed//pw_crypto:ecdsa_boringssl",
+    build_setting_default = "@pigweed//pw_crypto:ecdsa_backend_multiplexer",
 )
 
 label_flag(

third_party/mbedtls/BUILD.bazel

@@ -17,6 +17,10 @@ load(
     "pw_cc_library",
 )
 
+package(
+    default_visibility = ["//visibility:public"],
+)
+
 # Ready-made configurations
 mbedtls_configs = [
     ("default", "configs/config_default.h"),
@@ -30,10 +34,8 @@ mbedtls_configs = [
             config_header,
             "configs/config_pigweed_common.h",
         ],
-        copts = ["-DMBEDTLS_CONFIG_FILE=\"%s\"" % config_header],
+        defines = ['MBEDTLS_CONFIG_FILE=\\"%s\\"' % config_header],
         includes = ["."],
     )
     for config_name, config_header in mbedtls_configs
 ]
-
-# TODO(zyecheng): Add build recipe for the library.

third_party/mbedtls/BUILD.mbedtls

@@ -0,0 +1,114 @@
+# Copyright 2023 The Pigweed Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy of
+# the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations under
+# the License.
+package(
+  default_visibility = ["//visibility:public"],
+)
+
+cc_library(
+    name = "mbedtls",
+    srcs = [
+        "library/aes.c",
+        "library/aesni.c",
+        "library/aria.c",
+        "library/asn1parse.c",
+        "library/asn1write.c",
+        "library/base64.c",
+        "library/bignum.c",
+        "library/camellia.c",
+        "library/ccm.c",
+        "library/chacha20.c",
+        "library/chachapoly.c",
+        "library/cipher.c",
+        "library/cipher_wrap.c",
+        "library/cmac.c",
+        "library/constant_time.c",
+        "library/ctr_drbg.c",
+        "library/des.c",
+        "library/dhm.c",
+        "library/ecdh.c",
+        "library/ecdsa.c",
+        "library/ecjpake.c",
+        "library/ecp.c",
+        "library/ecp_curves.c",
+        "library/entropy.c",
+        "library/entropy_poll.c",
+        "library/error.c",
+        "library/gcm.c",
+        "library/hkdf.c",
+        "library/hmac_drbg.c",
+        "library/md.c",
+        "library/md5.c",
+        "library/memory_buffer_alloc.c",
+        "library/mps_reader.c",
+        "library/mps_trace.c",
+        "library/nist_kw.c",
+        "library/oid.c",
+        "library/padlock.c",
+        "library/pem.c",
+        "library/pk.c",
+        "library/pk_wrap.c",
+        "library/pkcs12.c",
+        "library/pkcs5.c",
+        "library/pkparse.c",
+        "library/pkwrite.c",
+        "library/platform.c",
+        "library/platform_util.c",
+        "library/poly1305.c",
+        "library/ripemd160.c",
+        "library/rsa.c",
+        "library/rsa_alt_helpers.c",
+        "library/sha1.c",
+        "library/sha256.c",
+        "library/sha512.c",
+        "library/ssl_debug_helpers_generated.c",
+        "library/threading.c",
+        "library/timing.c",
+        "library/version.c",
+        "library/version_features.c",
+    ],
+    includes = ["include/"],
+    textual_hdrs = [
+        "library/aesni.h",
+        "library/bignum_internal.h",
+        "library/bn_mul.h",
+        "library/cipher_wrap.h",
+        "library/common.h",
+        "library/constant_time_internal.h",
+        "library/constant_time_invasive.h",
+        "library/ecp_internal_alt.h",
+        "library/ecp_invasive.h",
+        "library/entropy_poll.h",
+        "library/md_wrap.h",
+        "library/pk_wrap.h",
+        "library/padlock.h",
+        "library/pkwrite.h",
+        "library/rsa_alt_helpers.h",
+        "library/ssl_debug_helpers.h",
+        "library/ssl_misc.h",
+    ] + glob(
+        include = ["include/**/*.h"],
+        exclude = ["include/psa/**"],
+    ),
+    deps = [
+        ":mbedtls_config",
+    ],
+)
+
+# Library containing project-specific mbedtls config header file.
+label_flag(
+    name = "mbedtls_config",
+    build_setting_default = ":empty_config",
+)
+
+cc_library(name = "empty_config")