Merge pull request #1 from Quicr/sync-0319

Sync fork to 3/19/2024
Quicr · Apr 7, 2024 · 380b1a4 · 380b1a4
2 parents f69efeb + e24e609
commit 380b1a4
Show file tree

Hide file tree

Showing 32 changed files with 2,960 additions and 306 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -18,9 +18,9 @@ jobs:
           - name: "Linux / OpenSSL 1.1.0"
             command: make -f misc/docker-ci.mk CMAKE_ARGS='-DOPENSSL_ROOT_DIR=-DOPENSSL_ROOT_DIR=/opt/openssl-1.1.0 -DWITH_FUSION=OFF' CONTAINER_NAME='h2oserver/h2o-ci:ubuntu1604'
           - name: "Linux / OpenSSL 1.1.1"
-            command: make -f misc/docker-ci.mk
-          - name: "Linux / OpenSSL 3.0"
-            command: make -f misc/docker-ci.mk CONTAINER_NAME=h2oserver/h2o-ci:ubuntu2204
+            command: make -f misc/docker-ci.mk CMAKE_ARGS='-DWITH_AEGIS=1 -DAEGIS_INCLUDE_DIR=/usr/local/include'
+          - name: "Linux / OpenSSL 3.0 + mbedtls"
+            command: make -f misc/docker-ci.mk CONTAINER_NAME=h2oserver/h2o-ci:ubuntu2204 CMAKE_ARGS='-DWITH_MBEDTLS=1'
           - name: "Linux / OpenSSL 1.1.1 + ASan & UBSan"
             command: make -f misc/docker-ci.mk CMAKE_ARGS='-DCMAKE_C_COMPILER=clang -DCMAKE_CXX_COMPILER=clang++ -DCMAKE_C_FLAGS=-fsanitize=address,undefined -DCMAKE_CXX_FLAGS=-fsanitize=address,undefined' CHECK_ENVS='ASAN_OPTIONS=detect_leaks=0 UBSAN_OPTIONS=print_stacktrace=1:halt_on_error=1'
           - name: "Linux / boringssl"

diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -10,18 +10,13 @@ IF (CMAKE_VERSION VERSION_LESS 3.13.0)
 ENDIF ()
 
 FIND_PACKAGE(PkgConfig REQUIRED)
-INCLUDE(cmake/dtrace-utils.cmake)
 INCLUDE(cmake/boringssl-adjust.cmake)
+INCLUDE(cmake/dtrace-utils.cmake)
+INCLUDE(cmake/fusion.cmake)
+SET(CMAKE_MODULE_PATH "${CMAKE_CURRENT_SOURCE_DIR}/cmake")
 
 CHECK_DTRACE(${PROJECT_SOURCE_DIR}/picotls-probes.d)
-IF ((CMAKE_SIZEOF_VOID_P EQUAL 8) AND
-    (CMAKE_SYSTEM_PROCESSOR STREQUAL "x86_64") OR
-     (CMAKE_SYSTEM_PROCESSOR STREQUAL "amd64") OR
-     (CMAKE_SYSTEM_PROCESSOR STREQUAL "AMD64"))
-    SET(WITH_FUSION_DEFAULT "ON")
-ELSE ()
-    SET(WITH_FUSION_DEFAULT "OFF")
-ENDIF ()
+CHECK_FUSION_PREREQUISITES()
 
 OPTION(WITH_DTRACE "use USDT (userspace Dtrace probes)" ${HAVE_DTRACE})
 OPTION(WITH_FUSION "build 'fusion' AES-GCM engine" ${WITH_FUSION_DEFAULT})
@@ -31,6 +26,8 @@ ENDIF ()
 IF (WITH_FUSION)
     MESSAGE(STATUS "Enabling 'fusion' AES-GCM engine")
 ENDIF ()
+OPTION(WITH_AEGIS "enable AEGIS (requires libaegis)" ${WITH_AEGIS})
+OPTION(WITH_MBEDTLS "enable MBEDTLS" ${WITH_MBEDTLS})
 
 SET(CMAKE_C_FLAGS "-std=c99 -Wall -O2 -g ${CC_WARNING_FLAGS} ${CMAKE_C_FLAGS}")
 INCLUDE_DIRECTORIES(
@@ -73,29 +70,28 @@ IF (WITH_DTRACE)
     ENDIF ()
 ENDIF ()
 
-IF (NOT BORINGSSL_LIBRARIES)
-    PKG_CHECK_MODULES(BROTLI_DEC libbrotlidec)
-    PKG_CHECK_MODULES(BROTLI_ENC libbrotlienc)
-ENDIF()
-
+#PKG_CHECK_MODULES(BROTLI_DEC libbrotlidec)
+#PKG_CHECK_MODULES(BROTLI_ENC libbrotlienc)
 IF (BROTLI_DEC_FOUND AND BROTLI_ENC_FOUND)
     INCLUDE_DIRECTORIES(${BROTLI_DEC_INCLUDE_DIRS} ${BROTLI_ENC_INCLUDE_DIRS})
     SET(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DPICOTLS_USE_BROTLI=1")
     LIST(APPEND CORE_FILES
         lib/certificate_compression.c)
     LIST(APPEND CORE_EXTRA_LIBS ${BROTLI_DEC_LIBRARIES} ${BROTLI_ENC_LIBRARIES})
-
-    #LIST(APPEND CORE_EXTRA_LIBS_DIRS (${BROTLI_DEC_LIBRARY_DIRS} ${BROTLI_ENC_LIBRARY_DIRS}))
-    LIST(APPEND CORE_EXTRA_LIBS_DIRS ${BROTLI_DEC_LIBRARY_DIRS})
-    LIST(APPEND CORE_EXTRA_LIBS_DIRS ${BROTLI_ENC_LIBRARY_DIRS})
+    LIST(APPEND CORE_EXTRA_LIBS_DIRS (${BROTLI_DEC_LIBRARY_DIRS} ${BROTLI_ENC_LIBRARY_DIRS}))
 ENDIF ()
 
 ADD_LIBRARY(picotls-core ${CORE_FILES})
 TARGET_LINK_LIBRARIES(picotls-core ${CORE_EXTRA_LIBS})
 TARGET_LINK_DIRECTORIES(picotls-core PUBLIC ${CORE_EXTRA_LIBS_DIRS})
 
+IF (WITH_AEGIS)
+    SET(MINICRYPTO_AEGIS_FILES lib/cifra/libaegis.c)
+ENDIF ()
+
 ADD_LIBRARY(picotls-minicrypto
     ${MINICRYPTO_LIBRARY_FILES}
+    ${MINICRYPTO_AEGIS_FILES}
     lib/cifra.c
     lib/cifra/x25519.c
     lib/cifra/chacha20.c
@@ -107,62 +103,76 @@ ADD_LIBRARY(picotls-minicrypto
     lib/asn1.c
     lib/ffx.c)
 TARGET_LINK_LIBRARIES(picotls-minicrypto picotls-core)
+ADD_EXECUTABLE(test-minicrypto.t
+    ${MINICRYPTO_LIBRARY_FILES}
+    ${MINICRYPTO_AEGIS_FILES}
+    deps/picotest/picotest.c
+    ${CORE_TEST_FILES}
+    t/minicrypto.c
+    lib/asn1.c
+    lib/pembase64.c
+    lib/ffx.c
+    lib/cifra/x25519.c
+    lib/cifra/chacha20.c
+    lib/cifra/aes128.c
+    lib/cifra/aes256.c
+    lib/cifra/random.c)
+SET(TEST_EXES test-minicrypto.t)
 
-IF (BUILD_TESTING AND picotls_BUILD_TESTS)
-    ADD_EXECUTABLE(test-minicrypto.t
-        ${MINICRYPTO_LIBRARY_FILES}
-        deps/picotest/picotest.c
-        ${CORE_TEST_FILES}
-        t/minicrypto.c
-        lib/asn1.c
-        lib/pembase64.c
-        lib/ffx.c
-        lib/cifra/x25519.c
-        lib/cifra/chacha20.c
-        lib/cifra/aes128.c
-        lib/cifra/aes256.c
-        lib/cifra/random.c)
-    SET(TEST_EXES test-minicrypto.t)
-    SET(PTLSBENCH_LIBS
-        picotls-minicrypto picotls-core)
-ENDIF()
 
-IF (NOT BORINGSSL_LIBDIR)
-    FIND_PACKAGE(OpenSSL)
+SET(PTLSBENCH_LIBS
+    picotls-minicrypto picotls-core)
+
+IF (WITH_AEGIS)
+  FIND_PACKAGE(aegis)
+  IF (aegis_FOUND)
+    INCLUDE_DIRECTORIES(${AEGIS_INCLUDE_DIR})
+    IF (EXISTS "${AEGIS_INCLUDE_DIR}/aegis.h")
+      MESSAGE(STATUS "Enabling AEGIS support (library found in ${aegis_DIR})")
+      SET(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DPTLS_HAVE_AEGIS=1")
+      SET(AEGIS_LIBRARIES ${aegis_LIBRARIES})
+      TARGET_LINK_LIBRARIES(test-minicrypto.t ${AEGIS_LIBRARIES})
+    ELSE()
+      MESSAGE(FATAL_ERROR "libaegis found, but aegis.h not found - Define AEGIS_INCLUDE_DIR accordingly")
+    ENDIF()
+  ELSE()
+    MESSAGE(FATAL_ERROR "libaegis not found")
+  ENDIF()
 ENDIF()
 
+FIND_PACKAGE(OpenSSL)
 BORINGSSL_ADJUST()
 
 IF (OPENSSL_FOUND AND NOT (OPENSSL_VERSION VERSION_LESS "1.0.1"))
     MESSAGE(STATUS "  Enabling OpenSSL support")
     INCLUDE_DIRECTORIES(${OPENSSL_INCLUDE_DIR})
     ADD_LIBRARY(picotls-openssl lib/openssl.c)
-    TARGET_LINK_LIBRARIES(picotls-openssl ${OPENSSL_CRYPTO_LIBRARIES} picotls-core ${CMAKE_DL_LIBS})
+    TARGET_LINK_LIBRARIES(picotls-openssl ${OPENSSL_CRYPTO_LIBRARIES} ${AEGIS_LIBRARIES} picotls-core ${CMAKE_DL_LIBS})
     ADD_EXECUTABLE(cli t/cli.c lib/pembase64.c)
     TARGET_LINK_LIBRARIES(cli picotls-openssl picotls-core)
 
-    if(BUILD_TESTING AND picotls_BUILD_TESTS)
-        ADD_EXECUTABLE(test-openssl.t
-                ${MINICRYPTO_LIBRARY_FILES}
-                lib/cifra.c
-                lib/cifra/x25519.c
-                lib/cifra/chacha20.c
-                lib/cifra/aes128.c
-                lib/cifra/aes256.c
-                lib/cifra/random.c
-                lib/uecc.c
-                lib/asn1.c
-                lib/pembase64.c
-                lib/ffx.c
-                deps/picotest/picotest.c
-                ${CORE_TEST_FILES}
-                t/openssl.c)
-        SET_TARGET_PROPERTIES(test-openssl.t PROPERTIES COMPILE_FLAGS "-DPTLS_MEMORY_DEBUG=1")
-        TARGET_LINK_LIBRARIES(test-openssl.t ${OPENSSL_CRYPTO_LIBRARIES} ${CMAKE_DL_LIBS})
-        LIST(APPEND PTLSBENCH_LIBS picotls-openssl ${OPENSSL_CRYPTO_LIBRARIES} ${CMAKE_DL_LIBS})
-
-        SET(TEST_EXES ${TEST_EXES} test-openssl.t)
-    endif()
+    ADD_EXECUTABLE(test-openssl.t
+        ${MINICRYPTO_LIBRARY_FILES}
+        ${MINICRYPTO_AEGIS_FILES}
+        lib/cifra.c
+        lib/cifra/x25519.c
+        lib/cifra/chacha20.c
+        lib/cifra/aes128.c
+        lib/cifra/aes256.c
+        lib/cifra/random.c
+        lib/uecc.c
+        lib/asn1.c
+        lib/pembase64.c
+        lib/ffx.c
+        deps/picotest/picotest.c
+        ${CORE_TEST_FILES}
+        t/openssl.c)
+    SET_TARGET_PROPERTIES(test-openssl.t PROPERTIES COMPILE_FLAGS "-DPTLS_MEMORY_DEBUG=1")
+    TARGET_LINK_LIBRARIES(test-openssl.t ${OPENSSL_CRYPTO_LIBRARIES} ${AEGIS_LIBRARIES} ${CMAKE_DL_LIBS})
+
+    LIST(APPEND PTLSBENCH_LIBS picotls-openssl ${OPENSSL_CRYPTO_LIBRARIES} ${AEGIS_LIBRARIES} ${CMAKE_DL_LIBS})
+
+    SET(TEST_EXES ${TEST_EXES} test-openssl.t)
 ELSE ()
     MESSAGE(WARNING "Disabling OpenSSL support (requires 1.0.1 or newer)")
 ENDIF ()
@@ -171,30 +181,47 @@ IF (WITH_FUSION)
     ADD_LIBRARY(picotls-fusion lib/fusion.c)
     SET_TARGET_PROPERTIES(picotls-fusion PROPERTIES COMPILE_FLAGS "-mavx2 -maes -mpclmul -mvaes -mvpclmulqdq")
     TARGET_LINK_LIBRARIES(picotls-fusion picotls-core)
+    ADD_EXECUTABLE(test-fusion.t
+        deps/picotest/picotest.c
+        lib/picotls.c
+        t/fusion.c)
+    TARGET_LINK_LIBRARIES(test-fusion.t picotls-minicrypto)
+    SET_TARGET_PROPERTIES(test-fusion.t PROPERTIES COMPILE_FLAGS "-mavx2 -maes -mpclmul -mvaes -mvpclmulqdq")
+    IF (WITH_DTRACE)
+        ADD_DEPENDENCIES(test-fusion.t generate-picotls-probes)
+    ENDIF ()
+    SET(TEST_EXES ${TEST_EXES} test-fusion.t)
 
-    if(BUILD_TESTING AND picotls_BUILD_TESTS)
-        ADD_EXECUTABLE(test-fusion.t
-                deps/picotest/picotest.c
-                lib/picotls.c
-                t/fusion.c)
-        TARGET_LINK_LIBRARIES(test-fusion.t picotls-minicrypto)
-        SET_TARGET_PROPERTIES(test-fusion.t PROPERTIES COMPILE_FLAGS "-mavx2 -maes -mpclmul -mvaes -mvpclmulqdq")
-        IF (WITH_DTRACE)
-            ADD_DEPENDENCIES(test-fusion.t generate-picotls-probes)
-        ENDIF ()
-        SET(TEST_EXES ${TEST_EXES} test-fusion.t)
-        LIST(APPEND PTLSBENCH_LIBS picotls-fusion)
-    endif()
+    SET(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DPTLS_HAVE_FUSION=1")
+    LIST(APPEND PTLSBENCH_LIBS picotls-fusion)
 ENDIF ()
 
-if(BUILD_TESTING AND picotls_BUILD_TESTS)
-    ADD_EXECUTABLE(ptlsbench t/ptlsbench.c)
-    SET_TARGET_PROPERTIES(ptlsbench PROPERTIES COMPILE_FLAGS "-DPTLS_MEMORY_DEBUG=1")
-    TARGET_LINK_LIBRARIES(ptlsbench ${PTLSBENCH_LIBS})
-    IF (NOT WITH_FUSION)
-        SET_TARGET_PROPERTIES(ptlsbench PROPERTIES EXCLUDE_FROM_ALL 1)
+IF (WITH_MBEDTLS)
+    FIND_PACKAGE(MbedTLS)
+    IF (NOT MbedTLS_FOUND)
+        MESSAGE(FATAL_ERROR "-DWITH_MBEDTLS set but mbedtls not found")
     ENDIF ()
-endif()
+    message(STATUS "mbedtls/include: ${MBEDTLS_INCLUDE_DIRS}")
+    message(STATUS "mbedtls libraries: ${MBEDTLS_LIBRARIES}")
+    INCLUDE_DIRECTORIES(${MBEDTLS_INCLUDE_DIRS})
+    ADD_LIBRARY(picotls-mbedtls lib/mbedtls.c)
+    ADD_EXECUTABLE(test-mbedtls.t
+        deps/picotest/picotest.c
+        ${CORE_TEST_FILES}
+        t/mbedtls.c)
+    TARGET_LINK_LIBRARIES(test-mbedtls.t
+        picotls-minicrypto picotls-mbedtls
+        ${MBEDTLS_LIBRARIES})
+    SET(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DPTLS_HAVE_MBEDTLS=1")
+    LIST(APPEND PTLSBENCH_LIBS picotls-mbedtls ${MBEDTLS_LIBRARIES})
+ENDIF ()
+
+ADD_EXECUTABLE(ptlsbench t/ptlsbench.c)
+SET_TARGET_PROPERTIES(ptlsbench PROPERTIES COMPILE_FLAGS "-DPTLS_MEMORY_DEBUG=1")
+TARGET_LINK_LIBRARIES(ptlsbench ${PTLSBENCH_LIBS})
+IF (NOT WITH_FUSION)
+    SET_TARGET_PROPERTIES(ptlsbench PROPERTIES EXCLUDE_FROM_ALL 1)
+ENDIF ()
 
 ADD_CUSTOM_TARGET(check env BINARY_DIR=${CMAKE_CURRENT_BINARY_DIR} prove --exec '' -v ${CMAKE_CURRENT_BINARY_DIR}/*.t t/*.t WORKING_DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR} DEPENDS ${TEST_EXES} cli)
 
@@ -211,7 +238,7 @@ ENDIF ()
 
 IF (BUILD_FUZZER)
     IF (NOT CMAKE_CXX_COMPILER_ID STREQUAL "Clang")
-        MESSAGE(FATAL ERROR "The fuzzer needs clang as a compiler")
+        MESSAGE(FATAL_ERROR "The fuzzer needs clang as a compiler")
     ENDIF()
 
     ADD_EXECUTABLE(fuzz-asn1 fuzz/fuzz-asn1.c)
@@ -240,8 +267,8 @@ IF (BUILD_FUZZER)
             LINK_FLAGS "-fsanitize=fuzzer")
     ENDIF (OSS_FUZZ)
 
-    TARGET_LINK_LIBRARIES(fuzz-asn1 picotls-minicrypto picotls-core picotls-openssl ${OPENSSL_CRYPTO_LIBRARIES} ${LIB_FUZZER})
-    TARGET_LINK_LIBRARIES(fuzz-server-hello picotls-core picotls-openssl ${OPENSSL_CRYPTO_LIBRARIES} ${LIB_FUZZER})
-    TARGET_LINK_LIBRARIES(fuzz-client-hello picotls-core picotls-openssl ${OPENSSL_CRYPTO_LIBRARIES} ${LIB_FUZZER})
+    TARGET_LINK_LIBRARIES(fuzz-asn1 picotls-minicrypto picotls-core picotls-openssl ${OPENSSL_CRYPTO_LIBRARIES} ${AEGIS_LIBRARIES} ${LIB_FUZZER})
+    TARGET_LINK_LIBRARIES(fuzz-server-hello picotls-core picotls-openssl ${OPENSSL_CRYPTO_LIBRARIES} ${AEGIS_LIBRARIES} ${LIB_FUZZER})
+    TARGET_LINK_LIBRARIES(fuzz-client-hello picotls-core picotls-openssl ${OPENSSL_CRYPTO_LIBRARIES} ${AEGIS_LIBRARIES} ${LIB_FUZZER})
 
 ENDIF()
diff --git a/README.md b/README.md
@@ -8,6 +8,7 @@ Picotls is a [TLS 1.3 (RFC 8446)](https://tools.ietf.org/html/rfc8446) protocol
   * "OpenSSL" backend using libcrypto for crypto and X.509 operations
   * "minicrypto" backend using [cifra](https://github.com/ctz/cifra) for most crypto and [micro-ecc](https://github.com/kmackay/micro-ecc) for secp256r1
   * ["fusion" AES-GCM engine, optimized for QUIC and other protocols that use short AEAD blocks](https://github.com/h2o/picotls/pull/310)
+  * [libaegis](https://github.com/jedisct1/libaegis) for the AEGIS AEADs
 * support for PSK, PSK-DHE resumption using 0-RTT
 * API for dealing directly with TLS handshake messages (essential for QUIC)
 * supported extensions:
@@ -23,8 +24,8 @@ License and the cryptographic algorithms supported by the crypto bindings are as
 
 | Binding | License | Key Exchange | Certificate | AEAD cipher |
 |:-----:|:-----:|:-----:|:-----:|:-----:|
-| minicrypto | [CC0](https://github.com/ctz/cifra/) / [2-clause BSD](https://github.com/kmackay/micro-ecc) | secp256r1, x25519 | ECDSA (secp256r1)<sup>1</sup> | AES-128-GCM, chacha20-poly1305 |
-| OpenSSL | OpenSSL | secp256r1, secp384r1, secp521r1, x25519 | RSA, ECDSA (secp256r1, secp384r1, secp521r1), ed25519 | AES-128-GCM, AES-256-GCM, chacha20-poly1305 |
+| minicrypto | [CC0](https://github.com/ctz/cifra/) / [2-clause BSD](https://github.com/kmackay/micro-ecc) | secp256r1, x25519 | ECDSA (secp256r1)<sup>1</sup> | AES-128-GCM, chacha20-poly1305, AEGIS-128L (using libaegis), AEGIS-256 (using libaegis) |
+| OpenSSL | OpenSSL | secp256r1, secp384r1, secp521r1, x25519 | RSA, ECDSA (secp256r1, secp384r1, secp521r1), ed25519 | AES-128-GCM, AES-256-GCM, chacha20-poly1305, AEGIS-128L (using libaegis), AEGIS-256 (using libaegis) |
 
 Note 1: Minicrypto binding is capable of signing a handshake using the certificate's key, but cannot verify a signature sent by the peer.
 

diff --git a/cmake/FindMbedTLS.cmake b/cmake/FindMbedTLS.cmake
@@ -0,0 +1,48 @@
+# Try to find MbedTLS; recognized hints are:
+#  * MBEDTLS_ROOT_DIR
+#  * MBEDTLS_LIBDIR
+# Upon return,
+#  * MBEDTLS_INCLUDE_DIRS
+#  * MBEDTLS_LIBRARIES
+# will be set.
+# Users may supply MBEDTLS_INCLUDE_DIRS or MBEDTLS_LIBRARIES directly.
+
+INCLUDE(FindPackageHandleStandardArgs)
+
+# setup default vars for the hints
+IF (NOT DEFINED MBEDTLS_ROOT_DIR)
+    SET(MBEDTLS_ROOT_DIR "/usr/local" "/usr")
+ENDIF ()
+IF (NOT DEFINED MBEDTLS_LIBDIR)
+    SET(MBEDTLS_LIBDIR)
+    FOREACH (item IN LISTS MBEDTLS_ROOT_DIR)
+        LIST(APPEND MBEDTLS_LIBDIR "${item}/lib")
+    ENDFOREACH ()
+ENDIF ()
+
+# find include directory
+IF (NOT DEFINED MBEDTLS_INCLUDE_DIRS)
+    SET(HINTS)
+    FOREACH (item IN LISTS MBEDTLS_ROOT_DIR)
+        LIST(APPEND HINTS "${item}/include")
+    ENDFOREACH ()
+    FIND_PATH(MBEDTLS_INCLUDE_DIRS
+        NAMES mbedtls/build_info.h psa/crypto.h
+        HINTS $HINTS)
+ENDIF ()
+
+# find libraries
+FIND_LIBRARY(MBEDTLS_LIBRARY mbedtls HINTS $MBEDTLS_LIBDIR)
+FIND_LIBRARY(MBEDTLS_CRYPTO mbedcrypto HINTS $MBEDTLS_LIBDIR)
+FIND_LIBRARY(MBEDTLS_X509 mbedx509 HINTS $MBEDTLS_LIBDIR)
+
+# setup
+FIND_PACKAGE_HANDLE_STANDARD_ARGS(MbedTLS REQUIRED_VARS
+    MBEDTLS_LIBRARY
+    MBEDTLS_CRYPTO
+    MBEDTLS_X509
+    MBEDTLS_INCLUDE_DIRS)
+IF (MbedTLS_FOUND)
+    SET(MBEDTLS_LIBRARIES ${MBEDTLS_LIBRARY} ${MBEDTLS_CRYPTO} ${MBEDTLS_X509})
+    MARK_AS_ADVANCED(MBEDTLS_LIBRARIES MBEDTLS_INCLUDE_DIRS)
+ENDIF ()