[mbedTLS] Enable TLS 1.3 support

Move library initialization to module registration functions. Only set library debug threshold when verbose output is enabled. TLSv1.3 functions seems to be a bit more verbose then expected, and generate a lot of noise. Yet, some level of debugging without recompiling the engine would be nice. We should discuss this upstream.
godotengine · Sep 26, 2024 · 8ffb769 · 8ffb769
1 parent a0d1ba4
commit 8ffb769
Show file tree

Hide file tree

Showing 21 changed files with 16,934 additions and 17 deletions.
diff --git a/doc/classes/HTTPClient.xml b/doc/classes/HTTPClient.xml
@@ -12,7 +12,7 @@
 		[b]Note:[/b] When exporting to Android, make sure to enable the [code]INTERNET[/code] permission in the Android export preset before exporting the project or using one-click deploy. Otherwise, network communication of any kind will be blocked by Android.
 		[b]Note:[/b] It's recommended to use transport encryption (TLS) and to avoid sending sensitive information (such as login credentials) in HTTP GET URL parameters. Consider using HTTP POST requests or HTTP headers for such information instead.
 		[b]Note:[/b] When performing HTTP requests from a project exported to Web, keep in mind the remote server may not allow requests from foreign origins due to [url=https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS]CORS[/url]. If you host the server in question, you should modify its backend to allow requests from foreign origins by adding the [code]Access-Control-Allow-Origin: *[/code] HTTP header.
-		[b]Note:[/b] TLS support is currently limited to TLS 1.0, TLS 1.1, and TLS 1.2. Attempting to connect to a TLS 1.3-only server will return an error.
+		[b]Note:[/b] TLS support is currently limited to TLSv1.2 and TLSv1.3. Attempting to connect to a server that only supports older (insecure) TLS versions will return an error.
 		[b]Warning:[/b] TLS certificate revocation and certificate pinning are currently not supported. Revoked certificates are accepted as long as they are otherwise valid. If this is a concern, you may want to use automatically managed certificates with a short validity period.
 	</description>
 	<tutorials>

diff --git a/modules/mbedtls/SCsub b/modules/mbedtls/SCsub
@@ -66,6 +66,22 @@ if env["builtin_mbedtls"]:
         "platform.c",
         "platform_util.c",
         "poly1305.c",
+        "psa_crypto.c",
+        "psa_crypto_aead.c",
+        "psa_crypto_cipher.c",
+        "psa_crypto_client.c",
+        "psa_crypto_driver_wrappers_no_static.c",
+        "psa_crypto_ecp.c",
+        "psa_crypto_ffdh.c",
+        "psa_crypto_hash.c",
+        "psa_crypto_mac.c",
+        "psa_crypto_pake.c",
+        "psa_crypto_rsa.c",
+        "psa_crypto_se.c",
+        "psa_crypto_slot_management.c",
+        "psa_crypto_storage.c",
+        "psa_its_file.c",
+        "psa_util.c",
         "ripemd160.c",
         "rsa.c",
         "rsa_alt_helpers.c",

diff --git a/modules/mbedtls/crypto_mbedtls.cpp b/modules/mbedtls/crypto_mbedtls.cpp
@@ -314,10 +314,6 @@ Crypto *CryptoMbedTLS::create(bool p_notify_postinitialize) {
 }
 
 void CryptoMbedTLS::initialize_crypto() {
-#ifdef DEBUG_ENABLED
-	mbedtls_debug_set_threshold(1);
-#endif
-
 	Crypto::_create = create;
 	Crypto::_load_default_certificates = load_default_certificates;
 	X509CertificateMbedTLS::make_default();

diff --git a/modules/mbedtls/register_types.cpp b/modules/mbedtls/register_types.cpp
@@ -35,15 +35,34 @@
 #include "packet_peer_mbed_dtls.h"
 #include "stream_peer_mbedtls.h"
 
+#if MBEDTLS_VERSION_MAJOR >= 3
+#include <psa/crypto.h>
+#endif
+
 #ifdef TESTS_ENABLED
 #include "tests/test_crypto_mbedtls.h"
 #endif
 
+static bool godot_mbedtls_initialized = false;
+
 void initialize_mbedtls_module(ModuleInitializationLevel p_level) {
 	if (p_level != MODULE_INITIALIZATION_LEVEL_SCENE) {
 		return;
 	}
 
+#if MBEDTLS_VERSION_MAJOR >= 3
+	int status = psa_crypto_init();
+	ERR_FAIL_COND_MSG(status != PSA_SUCCESS, "Failed to initialize psa crypto. The mbedTLS modules will not work.");
+#endif
+
+#ifdef DEBUG_ENABLED
+	if (OS::get_singleton()->is_stdout_verbose()) {
+		mbedtls_debug_set_threshold(1);
+	}
+#endif
+
+	godot_mbedtls_initialized = true;
+
 	CryptoMbedTLS::initialize_crypto();
 	StreamPeerMbedTLS::initialize_tls();
 	PacketPeerMbedDTLS::initialize_dtls();
@@ -55,6 +74,14 @@ void uninitialize_mbedtls_module(ModuleInitializationLevel p_level) {
 		return;
 	}
 
+	if (!godot_mbedtls_initialized) {
+		return;
+	}
+
+#if MBEDTLS_VERSION_MAJOR >= 3
+	mbedtls_psa_crypto_free();
+#endif
+
 	DTLSServerMbedTLS::finalize();
 	PacketPeerMbedDTLS::finalize_dtls();
 	StreamPeerMbedTLS::finalize_tls();

diff --git a/thirdparty/mbedtls/include/godot_module_mbedtls_config.h b/thirdparty/mbedtls/include/godot_module_mbedtls_config.h
@@ -59,18 +59,6 @@
 // Disable deprecated
 #define MBEDTLS_DEPRECATED_REMOVED
 
-// mbedTLS 3.6 finally enabled TLSv1.3 by default, but it requires some mobule
-// changes, and to enable PSA crypto (new "standard" API specification).
-// Disable it for now.
-#undef MBEDTLS_SSL_PROTO_TLS1_3
-
-// Disable PSA Crypto.
-#undef MBEDTLS_PSA_CRYPTO_CONFIG
-#undef MBEDTLS_PSA_CRYPTO_C
-#undef MBEDTLS_PSA_CRYPTO_STORAGE_C
-#undef MBEDTLS_PSA_ITS_FILE_C
-#undef MBEDTLS_LMS_C
-
 #endif // GODOT_MBEDTLS_INCLUDE_H
 
 #endif // GODOT_MODULE_MBEDTLS_CONFIG_H