3 files changed, 109 insertions, 9 deletions

diff --git a/src/zencore/crypto.cpp b/src/zencore/crypto.cpp
index 78bea0c17..baf8a3a35 100644
--- a/src/zencore/crypto.cpp
+++ b/src/zencore/crypto.cpp
@@ -12,8 +12,10 @@
 #ifndef ZEN_USE_OPENSSL
 #	if ZEN_PLATFORM_WINDOWS
 #		define ZEN_USE_OPENSSL 0
+#		define ZEN_USE_MBEDTLS 0
 #	else
-#		define ZEN_USE_OPENSSL 1
+#		define ZEN_USE_OPENSSL 0
+#		define ZEN_USE_MBEDTLS 1
 #	endif
 #endif
 
@@ -24,6 +26,8 @@ ZEN_THIRD_PARTY_INCLUDES_START
 #	include <openssl/conf.h>
 #	include <openssl/err.h>
 #	include <openssl/evp.h>
+#elif ZEN_USE_MBEDTLS
+	#include <mbedtls/cipher.h>
 #else
 #	include <zencore/windows.h>
 #	include <bcrypt.h>
@@ -43,8 +47,108 @@ namespace crypto {
 		Encrypt
 	};
 
-#if ZEN_USE_OPENSSL
+#if ZEN_USE_MBEDTLS
+
+		class MbedCipherCtx
+		{
+		public:
+			MbedCipherCtx() { mbedtls_cipher_init(&m_Ctx); }
+			~MbedCipherCtx() { mbedtls_cipher_free(&m_Ctx); }
+
+			mbedtls_cipher_context_t* operator&() { return &m_Ctx; }
+			mbedtls_cipher_context_t* get() { return &m_Ctx; }
+
+		private:
+			mbedtls_cipher_context_t m_Ctx;
+		};
+
+		MemoryView Transform(TransformMode				 Mode,
+							 MemoryView					 Key,
+							 MemoryView					 IV,
+							 MemoryView					 In,
+							 MutableMemoryView			 Out,
+							 std::optional<std::string>& Reason)
+		{
+			const mbedtls_cipher_info_t* CipherInfo = mbedtls_cipher_info_from_type(MBEDTLS_CIPHER_AES_256_CBC);
+			if (CipherInfo == nullptr)
+			{
+				Reason = "failed to get mbedTLS cipher info"sv;
+				return MemoryView();
+			}
+
+			MbedCipherCtx Ctx;
+			int ret = mbedtls_cipher_setup(Ctx.get(), CipherInfo);
+			if (ret != 0)
+			{
+				Reason = fmt::format("mbedTLS cipher setup failed, ret={}", ret);
+				return MemoryView();
+			}
+
+			// key length in bits
+			ret = mbedtls_cipher_setkey(Ctx.get(),
+										reinterpret_cast<const unsigned char*>(Key.GetData()),
+										static_cast<int>(Key.GetSize() * 8),
+										(Mode == TransformMode::Encrypt) ? MBEDTLS_ENCRYPT : MBEDTLS_DECRYPT);
+			if (ret != 0)
+			{
+				Reason = fmt::format("mbedTLS setkey failed, ret={}", ret);
+				return MemoryView();
+			}
+
+			ret = mbedtls_cipher_set_iv(Ctx.get(),
+										reinterpret_cast<const unsigned char*>(IV.GetData()),
+										static_cast<size_t>(IV.GetSize()));
+			if (ret != 0)
+			{
+				Reason = fmt::format("mbedTLS set_iv failed, ret={}", ret);
+				return MemoryView();
+			}
 
+			ret = mbedtls_cipher_reset(Ctx.get());
+			if (ret != 0)
+			{
+				Reason = fmt::format("mbedTLS reset failed, ret={}", ret);
+				return MemoryView();
+			}
+
+			// Ensure output buffer is large enough: worst case = input + block size
+			const size_t BlockSize = 16;
+			if (Out.GetSize() < In.GetSize() + BlockSize)
+			{
+				Reason = "invalid output buffer size"sv;
+				return MemoryView();
+			}
+
+			size_t olen = 0;
+			size_t total = 0;
+
+			ret = mbedtls_cipher_update(Ctx.get(),
+										reinterpret_cast<const unsigned char*>(In.GetData()),
+										static_cast<size_t>(In.GetSize()),
+										reinterpret_cast<unsigned char*>(Out.GetData()),
+										&olen);
+			if (ret != 0)
+			{
+				Reason = fmt::format("mbedTLS update failed, ret={}", ret);
+				return MemoryView();
+			}
+
+			total = olen;
+
+			ret = mbedtls_cipher_finish(Ctx.get(),
+										reinterpret_cast<unsigned char*>(Out.GetData()) + total,
+										&olen);
+			if (ret != 0)
+			{
+				Reason = fmt::format("mbedTLS finish failed, ret={}", ret);
+				return MemoryView();
+			}
+
+			total += olen;
+
+			return Out.Left(static_cast<size_t>(total));
+		}
+#elif ZEN_USE_OPENSSL
 	class EvpContext
 	{
 	public:
diff --git a/src/zencore/xmake.lua b/src/zencore/xmake.lua
index 84f749352..26a6f0bdf 100644
--- a/src/zencore/xmake.lua
+++ b/src/zencore/xmake.lua
@@ -37,9 +37,7 @@ target('zencore')
     add_deps("ryml")
     add_deps("gsl-lite")
 
-    add_packages(
-        "vcpkg::openssl" -- required for crypto
-        )
+    add_packages("mbedtls") -- required for crypto
 
     add_packages(
         "eastl",
@@ -49,7 +47,7 @@ target('zencore')
     )
 
     if has_config("zensentry") then
-        add_packages("vcpkg::sentry-native")
+        add_packages("sentry-native")
 
         if is_os("windows") then
             add_cxxflags("/wd4996")
diff --git a/src/zenhttp/xmake.lua b/src/zenhttp/xmake.lua
index 0f757921c..434330501 100644
--- a/src/zenhttp/xmake.lua
+++ b/src/zenhttp/xmake.lua
@@ -10,9 +10,7 @@ target('zenhttp')
     add_deps("zencore", "zentelemetry", "transport-sdk", "asio", "cpr")
     add_deps("gsl-lite")
     add_packages(
-        "vcpkg::curl",  -- required by cpr
-        "vcpkg::openssl", -- required by curl
-        "zlib",  -- required by curl
+        "curl",  -- required by cpr
         "http_parser"
     )
     add_options("httpsys")