emscripten: support MbedTLS 4 in build and CI

Make the fetched MbedTLS version configurable and extend the wasm jobs to exercise both mbedtls3 and mbedtls4 builds while keeping release artifacts on the mbedtls3 path.

Update the Emscripten build to link against MbedTLS::mbedtls, guard the legacy entropy helpers to pre-4.x builds, and switch the PSA feature probes to compile-only checks so they work with fetched and custom MbedTLS targets.

Install the Python modules required by the MbedTLS 4 generators in the Emscripten CI container so the tf-psa-crypto build completes.

Signed-off-by: Peter M <petermm@gmail.com>

Author: petermm

.github/workflows/wasm-build.yaml

@@ -107,13 +107,21 @@ jobs:
     needs: compile_tests
     runs-on: ubuntu-24.04
     container: emscripten/emsdk
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - mbedtls_label: "mbedtls3"
+            mbedtls_git_tag: "v3.6.3.1"
+          - mbedtls_label: "mbedtls4"
+            mbedtls_git_tag: "v4.0.0"
 
     steps:
     - name: Checkout repo
       uses: actions/checkout@v4
 
     - name: "Install deps"
-      run: sudo apt update -y && sudo apt install -y cmake gperf
+      run: sudo apt update -y && sudo apt install -y cmake gperf python3-jinja2 python3-jsonschema
 
     - name: Build
       shell: bash
@@ -122,7 +130,7 @@ jobs:
         set -euo pipefail
         mkdir build
         cd build
-        emcmake cmake ..
+        emcmake cmake .. -DAVM_FETCH_MBEDTLS_GIT_TAG=${{ matrix.mbedtls_git_tag }}
         emmake make -j
 
     - name: Download AtomVM and test modules
@@ -147,7 +155,7 @@ jobs:
         node src/AtomVM.js ../../../../build/tests/erlang_tests/test_crypto.beam
 
     - name: "Rename and write sha256sum (node)"
-      if: startsWith(github.ref, 'refs/tags/')
+      if: startsWith(github.ref, 'refs/tags/') && matrix.mbedtls_label == 'mbedtls3'
       shell: bash
       working-directory: src/platforms/emscripten/build/src
       run: |
@@ -160,7 +168,7 @@ jobs:
 
     - name: "Release (node)"
       uses: softprops/action-gh-release@v1
-      if: startsWith(github.ref, 'refs/tags/')
+      if: startsWith(github.ref, 'refs/tags/') && matrix.mbedtls_label == 'mbedtls3'
       with:
         draft: true
         fail_on_unmatched_files: true
@@ -181,14 +189,20 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        language: ["javascript-typescript"]
+        include:
+          - language: "javascript-typescript"
+            mbedtls_label: "mbedtls3"
+            mbedtls_git_tag: "v3.6.3.1"
+          - language: "javascript-typescript"
+            mbedtls_label: "mbedtls4"
+            mbedtls_git_tag: "v4.0.0"
 
     steps:
     - name: Checkout repo
       uses: actions/checkout@v4
 
     - name: "Install deps"
-      run: sudo apt update -y && sudo apt install -y cmake gperf
+      run: sudo apt update -y && sudo apt install -y cmake gperf python3-jinja2 python3-jsonschema
 
     - name: "Initialize CodeQL"
       uses: github/codeql-action/init@v3
@@ -204,7 +218,7 @@ jobs:
         set -euo pipefail
         mkdir build
         cd build
-        emcmake cmake .. -DAVM_EMSCRIPTEN_ENV=web
+        emcmake cmake .. -DAVM_EMSCRIPTEN_ENV=web -DAVM_FETCH_MBEDTLS_GIT_TAG=${{ matrix.mbedtls_git_tag }}
         emmake make -j
 
     - name: "Perform CodeQL Analysis"
@@ -213,7 +227,7 @@ jobs:
     - name: Upload wasm build for web
       uses: actions/upload-artifact@v4
       with:
-        name: atomvm-js-web
+        name: atomvm-js-web-${{ matrix.mbedtls_label }}
         path: |
             src/platforms/emscripten/build/**/*.wasm
             src/platforms/emscripten/build/**/*.js
@@ -222,6 +236,12 @@ jobs:
   wasm_test_web:
     needs: [compile_tests, wasm_build_web]
     runs-on: ubuntu-24.04
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - mbedtls_label: "mbedtls3"
+          - mbedtls_label: "mbedtls4"
     steps:
     - name: Checkout repo
       uses: actions/checkout@v4
@@ -235,7 +255,7 @@ jobs:
     - name: Download wasm build for web
       uses: actions/download-artifact@v4
       with:
-        name: atomvm-js-web
+        name: atomvm-js-web-${{ matrix.mbedtls_label }}
         path: src/platforms/emscripten/build
 
     - name: Download emscripten test modules
@@ -270,7 +290,7 @@ jobs:
         retention-days: 7
 
     - name: "Rename and write sha256sum (web)"
-      if: startsWith(github.ref, 'refs/tags/')
+      if: startsWith(github.ref, 'refs/tags/') && matrix.mbedtls_label == 'mbedtls3'
       shell: bash
       working-directory: src/platforms/emscripten/build/src
       run: |
@@ -283,7 +303,7 @@ jobs:
 
     - name: "Release (web)"
       uses: softprops/action-gh-release@v1
-      if: startsWith(github.ref, 'refs/tags/')
+      if: startsWith(github.ref, 'refs/tags/') && matrix.mbedtls_label == 'mbedtls3'
       with:
         draft: true
         fail_on_unmatched_files: true

CMakeModules/FetchMbedTLS.cmake

@@ -20,10 +20,12 @@
 
 include(FetchContent)
 
+set(AVM_FETCH_MBEDTLS_GIT_TAG "v3.6.3.1" CACHE STRING "MbedTLS git tag to fetch for Emscripten builds")
+
 FetchContent_Declare(
   mbedtls
   GIT_REPOSITORY http://github.com/mbed-TLS/mbedtls.git
-  GIT_TAG        v3.6.3.1
+  GIT_TAG        ${AVM_FETCH_MBEDTLS_GIT_TAG}
   GIT_SHALLOW    1
 )
 

src/platforms/emscripten/src/lib/CMakeLists.txt

@@ -47,19 +47,24 @@ target_compile_features(libAtomVM${PLATFORM_LIB_SUFFIX} PUBLIC c_std_11)
 
 target_link_libraries(libAtomVM${PLATFORM_LIB_SUFFIX} PUBLIC libAtomVM)
 target_compile_definitions(libAtomVM${PLATFORM_LIB_SUFFIX} PUBLIC ATOMVM_HAS_MBEDTLS)
-target_link_libraries(libAtomVM${PLATFORM_LIB_SUFFIX} PUBLIC MbedTLS::mbedcrypto)
+target_link_libraries(libAtomVM${PLATFORM_LIB_SUFFIX} PUBLIC MbedTLS::mbedtls)
 include(CheckCSourceCompiles)
-get_target_property(_mbedcrypto_includes MbedTLS::mbedcrypto INTERFACE_INCLUDE_DIRECTORIES)
-set(CMAKE_REQUIRED_INCLUDES ${_mbedcrypto_includes})
+get_target_property(_mbedtls_includes MbedTLS::mbedtls INTERFACE_INCLUDE_DIRECTORIES)
+set(CMAKE_REQUIRED_INCLUDES ${_mbedtls_includes})
+set(_avm_try_compile_target_type ${CMAKE_TRY_COMPILE_TARGET_TYPE})
+set(CMAKE_TRY_COMPILE_TARGET_TYPE STATIC_LIBRARY)
 check_c_source_compiles("
     #include <mbedtls/version.h>
     #ifndef MBEDTLS_PSA_CRYPTO_C
     #error PSA Crypto not available
     #endif
+    #include <psa/crypto.h>
     int main(void) { return 0; }
 " HAVE_PSA_CRYPTO)
+set(CMAKE_TRY_COMPILE_TARGET_TYPE ${_avm_try_compile_target_type})
 unset(CMAKE_REQUIRED_INCLUDES)
-unset(_mbedcrypto_includes)
+unset(_avm_try_compile_target_type)
+unset(_mbedtls_includes)
 if (HAVE_PSA_CRYPTO)
     target_compile_definitions(libAtomVM${PLATFORM_LIB_SUFFIX} PUBLIC HAVE_PSA_CRYPTO)
 endif()

src/platforms/emscripten/src/lib/sys.c

@@ -771,6 +771,8 @@ term sys_get_info(Context *ctx, term key)
     return UNDEFINED_ATOM;
 }
 
+#ifdef ATOMVM_HAS_MBEDTLS
+#if MBEDTLS_VERSION_NUMBER < 0x04000000
 int sys_mbedtls_entropy_func(void *entropy, unsigned char *buf, size_t size)
 {
 #ifndef MBEDTLS_THREADING_C
@@ -837,3 +839,6 @@ void sys_mbedtls_ctr_drbg_context_unlock(GlobalContext *global)
     struct EmscriptenPlatformData *platform = global->platform_data;
     SMP_MUTEX_UNLOCK(platform->random_mutex);
 }
+#endif
+
+#endif