From 96a53c4e977eac1969b0cc3b9770181a4a497538 Mon Sep 17 00:00:00 2001 From: Halil Durak Date: Wed, 26 Nov 2025 10:27:25 +0300 Subject: [PATCH 1/4] add an option to build libcurl with BoringSSL --- build.zig | 54 +++++++++++++++++++++++++++++++++++++++++---------- build.zig.zon | 5 +++++ 2 files changed, 49 insertions(+), 10 deletions(-) diff --git a/build.zig b/build.zig index 22ebb542..d50150e9 100644 --- a/build.zig +++ b/build.zig @@ -46,6 +46,8 @@ pub fn build(b: *Build) !void { b.option([]const u8, "git_commit", "Current git commit") orelse "dev", ); + const use_boringssl = b.option(bool, "use-boringssl", "Whether use BoringSSL (default:false)") orelse false; + const target = b.standardTargetOptions(.{}); const optimize = b.standardOptimizeOption(.{}); @@ -59,7 +61,7 @@ pub fn build(b: *Build) !void { .link_libc = true, .link_libcpp = true, }); - try addDependencies(b, lightpanda_module, opts); + try addDependencies(b, lightpanda_module, opts, use_boringssl); { // browser @@ -67,7 +69,7 @@ pub fn build(b: *Build) !void { // compile and install const exe = b.addExecutable(.{ - .name = "lightpanda", + .name = if (use_boringssl) "lightpanda-boringssl" else "lightpanda-mbedtls", .use_llvm = true, .root_module = lightpanda_module, }); @@ -113,7 +115,7 @@ pub fn build(b: *Build) !void { .target = target, .optimize = optimize, }); - try addDependencies(b, wpt_module, opts); + try addDependencies(b, wpt_module, opts, use_boringssl); // compile and install const wpt = b.addExecutable(.{ @@ -151,7 +153,7 @@ pub fn build(b: *Build) !void { } } -fn addDependencies(b: *Build, mod: *Build.Module, opts: *Build.Step.Options) !void { +fn addDependencies(b: *Build, mod: *Build.Module, opts: *Build.Step.Options, use_boringssl: bool) !void { try moduleNetSurf(b, mod); mod.addImport("build_config", opts.createModule()); @@ -374,16 +376,39 @@ fn addDependencies(b: *Build, mod: *Build.Module, opts: *Build.Step.Options) !vo mod.addCMacro("STDC_HEADERS", "1"); mod.addCMacro("TIME_WITH_SYS_TIME", "1"); mod.addCMacro("USE_NGHTTP2", "1"); - mod.addCMacro("USE_MBEDTLS", "1"); + if (use_boringssl) { + mod.addCMacro("USE_OPENSSL", "1"); + mod.addCMacro("OPENSSL_IS_BORINGSSL", "1"); + } else { + mod.addCMacro("USE_MBEDTLS", "1"); + } mod.addCMacro("USE_THREADS_POSIX", "1"); mod.addCMacro("USE_UNIX_SOCKETS", "1"); } try buildZlib(b, mod); try buildBrotli(b, mod); - try buildMbedtls(b, mod); + if (use_boringssl) { + const maybe_boringssl_dep = b.lazyDependency("boringssl-zig", .{ + .target = target, + .optimize = mod.optimize.?, + .force_pic = true, + }); + + if (maybe_boringssl_dep) |boringssl_dep| { + const ssl = boringssl_dep.artifact("ssl"); + ssl.bundle_ubsan_rt = false; + const crypto = boringssl_dep.artifact("crypto"); + crypto.bundle_ubsan_rt = false; + + mod.linkLibrary(ssl); + mod.linkLibrary(crypto); + } + } else { + try buildMbedtls(b, mod); + } try buildNghttp2(b, mod); - try buildCurl(b, mod); + try buildCurl(b, mod, use_boringssl); try buildAda(b, mod); switch (target.result.os.tag) { @@ -674,7 +699,7 @@ fn buildNghttp2(b: *Build, m: *Build.Module) !void { } }); } -fn buildCurl(b: *Build, m: *Build.Module) !void { +fn buildCurl(b: *Build, m: *Build.Module, use_boringssl: bool) !void { const curl = b.addLibrary(.{ .name = "curl", .root_module = m, @@ -842,13 +867,22 @@ fn buildCurl(b: *Build, m: *Build.Module) !void { root ++ "lib/vauth/spnego_sspi.c", root ++ "lib/vauth/vauth.c", root ++ "lib/vtls/cipher_suite.c", - root ++ "lib/vtls/mbedtls.c", - root ++ "lib/vtls/mbedtls_threadlock.c", root ++ "lib/vtls/vtls.c", root ++ "lib/vtls/vtls_scache.c", root ++ "lib/vtls/x509asn1.c", }, }); + + curl.addCSourceFiles(.{ + .files = if (use_boringssl) &.{ + root ++ "lib/vtls/openssl.c", + root ++ "lib/vtls/hostcheck.c", + root ++ "lib/vtls/keylog.c", + } else &.{ + root ++ "lib/vtls/mbedtls.c", + root ++ "lib/vtls/mbedtls_threadlock.c", + }, + }); } pub fn buildAda(b: *Build, m: *Build.Module) !void { diff --git a/build.zig.zon b/build.zig.zon index 736c94ec..639b0d4b 100644 --- a/build.zig.zon +++ b/build.zig.zon @@ -13,5 +13,10 @@ .url = "https://github.com/ada-url/ada/releases/download/v3.3.0/singleheader.zip", .hash = "N-V-__8AAPmhFAAw64ALjlzd5YMtzpSrmZ6KymsT84BKfB4s", }, + .@"boringssl-zig" = .{ + .url = "git+https://github.com/Syndica/boringssl-zig.git#01b27c04e42cbb50173348bf2f225b2e223ef87a", + .hash = "boringssl-0.1.0-VtJeWehMAAA4RNnwRnzEvKcS9rjsR1QVRw1uJrwXxmVK", + .lazy = true, + }, }, } From a124f5caa9b559b3a12ec84423513b83f9865c97 Mon Sep 17 00:00:00 2001 From: Halil Durak Date: Wed, 26 Nov 2025 12:26:45 +0300 Subject: [PATCH 2/4] make BoringSSL the default TLS backend --- build.zig | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/build.zig b/build.zig index d50150e9..f2c32cc4 100644 --- a/build.zig +++ b/build.zig @@ -46,7 +46,7 @@ pub fn build(b: *Build) !void { b.option([]const u8, "git_commit", "Current git commit") orelse "dev", ); - const use_boringssl = b.option(bool, "use-boringssl", "Whether use BoringSSL (default:false)") orelse false; + const use_boringssl = b.option(bool, "use-boringssl", "Whether use BoringSSL (default:true)") orelse true; const target = b.standardTargetOptions(.{}); const optimize = b.standardOptimizeOption(.{}); @@ -69,7 +69,7 @@ pub fn build(b: *Build) !void { // compile and install const exe = b.addExecutable(.{ - .name = if (use_boringssl) "lightpanda-boringssl" else "lightpanda-mbedtls", + .name = "lightpanda", .use_llvm = true, .root_module = lightpanda_module, }); From 5c71e0f93b5324c33c3a19b6c28cb594e7f1a09e Mon Sep 17 00:00:00 2001 From: Halil Durak Date: Wed, 26 Nov 2025 16:06:57 +0300 Subject: [PATCH 3/4] wipe Mbed TLS --- .gitmodules | 3 --- build.zig | 62 +++++++++++++++++--------------------------------- build.zig.zon | 3 +-- vendor/mbedtls | 1 - 4 files changed, 22 insertions(+), 47 deletions(-) delete mode 160000 vendor/mbedtls diff --git a/.gitmodules b/.gitmodules index 717d079b..b836938c 100644 --- a/.gitmodules +++ b/.gitmodules @@ -22,9 +22,6 @@ [submodule "vendor/nghttp2"] path = vendor/nghttp2 url = https://github.com/nghttp2/nghttp2.git -[submodule "vendor/mbedtls"] - path = vendor/mbedtls - url = https://github.com/Mbed-TLS/mbedtls.git [submodule "vendor/zlib"] path = vendor/zlib url = https://github.com/madler/zlib.git diff --git a/build.zig b/build.zig index f2c32cc4..e206b9eb 100644 --- a/build.zig +++ b/build.zig @@ -46,8 +46,6 @@ pub fn build(b: *Build) !void { b.option([]const u8, "git_commit", "Current git commit") orelse "dev", ); - const use_boringssl = b.option(bool, "use-boringssl", "Whether use BoringSSL (default:true)") orelse true; - const target = b.standardTargetOptions(.{}); const optimize = b.standardOptimizeOption(.{}); @@ -61,7 +59,7 @@ pub fn build(b: *Build) !void { .link_libc = true, .link_libcpp = true, }); - try addDependencies(b, lightpanda_module, opts, use_boringssl); + try addDependencies(b, lightpanda_module, opts); { // browser @@ -115,7 +113,7 @@ pub fn build(b: *Build) !void { .target = target, .optimize = optimize, }); - try addDependencies(b, wpt_module, opts, use_boringssl); + try addDependencies(b, wpt_module, opts); // compile and install const wpt = b.addExecutable(.{ @@ -153,7 +151,7 @@ pub fn build(b: *Build) !void { } } -fn addDependencies(b: *Build, mod: *Build.Module, opts: *Build.Step.Options, use_boringssl: bool) !void { +fn addDependencies(b: *Build, mod: *Build.Module, opts: *Build.Step.Options) !void { try moduleNetSurf(b, mod); mod.addImport("build_config", opts.createModule()); @@ -376,39 +374,29 @@ fn addDependencies(b: *Build, mod: *Build.Module, opts: *Build.Step.Options, use mod.addCMacro("STDC_HEADERS", "1"); mod.addCMacro("TIME_WITH_SYS_TIME", "1"); mod.addCMacro("USE_NGHTTP2", "1"); - if (use_boringssl) { - mod.addCMacro("USE_OPENSSL", "1"); - mod.addCMacro("OPENSSL_IS_BORINGSSL", "1"); - } else { - mod.addCMacro("USE_MBEDTLS", "1"); - } + mod.addCMacro("USE_OPENSSL", "1"); + mod.addCMacro("OPENSSL_IS_BORINGSSL", "1"); mod.addCMacro("USE_THREADS_POSIX", "1"); mod.addCMacro("USE_UNIX_SOCKETS", "1"); } try buildZlib(b, mod); try buildBrotli(b, mod); - if (use_boringssl) { - const maybe_boringssl_dep = b.lazyDependency("boringssl-zig", .{ - .target = target, - .optimize = mod.optimize.?, - .force_pic = true, - }); + const boringssl_dep = b.dependency("boringssl-zig", .{ + .target = target, + .optimize = mod.optimize.?, + .force_pic = true, + }); - if (maybe_boringssl_dep) |boringssl_dep| { - const ssl = boringssl_dep.artifact("ssl"); - ssl.bundle_ubsan_rt = false; - const crypto = boringssl_dep.artifact("crypto"); - crypto.bundle_ubsan_rt = false; + const ssl = boringssl_dep.artifact("ssl"); + ssl.bundle_ubsan_rt = false; + const crypto = boringssl_dep.artifact("crypto"); + crypto.bundle_ubsan_rt = false; - mod.linkLibrary(ssl); - mod.linkLibrary(crypto); - } - } else { - try buildMbedtls(b, mod); - } + mod.linkLibrary(ssl); + mod.linkLibrary(crypto); try buildNghttp2(b, mod); - try buildCurl(b, mod, use_boringssl); + try buildCurl(b, mod); try buildAda(b, mod); switch (target.result.os.tag) { @@ -699,7 +687,7 @@ fn buildNghttp2(b: *Build, m: *Build.Module) !void { } }); } -fn buildCurl(b: *Build, m: *Build.Module, use_boringssl: bool) !void { +fn buildCurl(b: *Build, m: *Build.Module) !void { const curl = b.addLibrary(.{ .name = "curl", .root_module = m, @@ -867,20 +855,12 @@ fn buildCurl(b: *Build, m: *Build.Module, use_boringssl: bool) !void { root ++ "lib/vauth/spnego_sspi.c", root ++ "lib/vauth/vauth.c", root ++ "lib/vtls/cipher_suite.c", - root ++ "lib/vtls/vtls.c", - root ++ "lib/vtls/vtls_scache.c", - root ++ "lib/vtls/x509asn1.c", - }, - }); - - curl.addCSourceFiles(.{ - .files = if (use_boringssl) &.{ root ++ "lib/vtls/openssl.c", root ++ "lib/vtls/hostcheck.c", root ++ "lib/vtls/keylog.c", - } else &.{ - root ++ "lib/vtls/mbedtls.c", - root ++ "lib/vtls/mbedtls_threadlock.c", + root ++ "lib/vtls/vtls.c", + root ++ "lib/vtls/vtls_scache.c", + root ++ "lib/vtls/x509asn1.c", }, }); } diff --git a/build.zig.zon b/build.zig.zon index 639b0d4b..02b217df 100644 --- a/build.zig.zon +++ b/build.zig.zon @@ -14,9 +14,8 @@ .hash = "N-V-__8AAPmhFAAw64ALjlzd5YMtzpSrmZ6KymsT84BKfB4s", }, .@"boringssl-zig" = .{ - .url = "git+https://github.com/Syndica/boringssl-zig.git#01b27c04e42cbb50173348bf2f225b2e223ef87a", + .url = "git+https://github.com/Syndica/boringssl-zig.git#c53df00d06b02b755ad88bbf4d1202ed9687b096", .hash = "boringssl-0.1.0-VtJeWehMAAA4RNnwRnzEvKcS9rjsR1QVRw1uJrwXxmVK", - .lazy = true, }, }, } diff --git a/vendor/mbedtls b/vendor/mbedtls deleted file mode 160000 index c765c831..00000000 --- a/vendor/mbedtls +++ /dev/null @@ -1 +0,0 @@ -Subproject commit c765c831e5c2a0971410692f92f7a81d6ec65ec2 From 3f8ad1ae35e3d29fe379d0727b42a82f9f9d151b Mon Sep 17 00:00:00 2001 From: Halil Durak Date: Thu, 27 Nov 2025 10:53:47 +0300 Subject: [PATCH 4/4] ci: increase e2e-test max memory --- .github/workflows/e2e-test.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/e2e-test.yml b/.github/workflows/e2e-test.yml index fb295246..62cff3b1 100644 --- a/.github/workflows/e2e-test.yml +++ b/.github/workflows/e2e-test.yml @@ -122,7 +122,7 @@ jobs: needs: zig-build-release env: - MAX_MEMORY: 27000 + MAX_MEMORY: 28000 MAX_AVG_DURATION: 23 LIGHTPANDA_DISABLE_TELEMETRY: true