[mbedTLS] Enable TLS 1.3 support

Move library initialization to module registration functions. Only set library debug threshold when verbose output is enabled. TLSv1.3 functions seems to be a bit more verbose then expected, and generate a lot of noise. Yet, some level of debugging without recompiling the engine would be nice. We should discuss this upstream.
godotengine · Sep 26, 2024 · 936657c · 936657c
1 parent 395a4fc
commit 936657c
Show file tree

Hide file tree

Showing 20 changed files with 16,933 additions and 16 deletions.
diff --git a/modules/mbedtls/SCsub b/modules/mbedtls/SCsub
@@ -65,6 +65,22 @@ if env["builtin_mbedtls"]:
  "platform.c",
  "platform_util.c",
  "poly1305.c",
+ "psa_crypto.c",
+ "psa_crypto_aead.c",
+ "psa_crypto_cipher.c",
+ "psa_crypto_client.c",
+ "psa_crypto_driver_wrappers_no_static.c",
+ "psa_crypto_ecp.c",
+ "psa_crypto_ffdh.c",
+ "psa_crypto_hash.c",
+ "psa_crypto_mac.c",
+ "psa_crypto_pake.c",
+ "psa_crypto_rsa.c",
+ "psa_crypto_se.c",
+ "psa_crypto_slot_management.c",
+ "psa_crypto_storage.c",
+ "psa_its_file.c",
+ "psa_util.c",
  "ripemd160.c",
  "rsa.c",
  "rsa_alt_helpers.c",

diff --git a/modules/mbedtls/crypto_mbedtls.cpp b/modules/mbedtls/crypto_mbedtls.cpp
@@ -314,10 +314,6 @@ Crypto *CryptoMbedTLS::create(bool p_notify_postinitialize) {
 }
 
 void CryptoMbedTLS::initialize_crypto() {
-#ifdef DEBUG_ENABLED
- mbedtls_debug_set_threshold(1);
-#endif
-
  Crypto::_create = create;
  Crypto::_load_default_certificates = load_default_certificates;
  X509CertificateMbedTLS::make_default();

diff --git a/modules/mbedtls/register_types.cpp b/modules/mbedtls/register_types.cpp
@@ -35,15 +35,34 @@
 #include "packet_peer_mbed_dtls.h"
 #include "stream_peer_mbedtls.h"
 
+#if MBEDTLS_VERSION_MAJOR >= 3
+#include <psa/crypto.h>
+#endif
+
 #ifdef TESTS_ENABLED
 #include "tests/test_crypto_mbedtls.h"
 #endif
 
+static bool godot_mbedls_initialized = false;
+
 void initialize_mbedtls_module(ModuleInitializationLevel p_level) {
  if (p_level != MODULE_INITIALIZATION_LEVEL_SCENE) {
  return;
  }
 
+#if MBEDTLS_VERSION_MAJOR >= 3
+ int status = psa_crypto_init();
+ ERR_FAIL_COND_MSG(status != PSA_SUCCESS, "Failed to initialize psa crypto. The mbedTLS modules will not work.");
+#endif
+
+#ifdef DEBUG_ENABLED
+ if (OS::get_singleton()->is_stdout_verbose()) {
+ mbedtls_debug_set_threshold(1);
+ }
+#endif
+
+ godot_mbedls_initialized = true;
+
  CryptoMbedTLS::initialize_crypto();
  StreamPeerMbedTLS::initialize_tls();
  PacketPeerMbedDTLS::initialize_dtls();
@@ -55,6 +74,14 @@ void uninitialize_mbedtls_module(ModuleInitializationLevel p_level) {
  return;
  }
 
+ if (!godot_mbedls_initialized) {
+ return;
+ }
+
+#if MBEDTLS_VERSION_MAJOR >= 3
+ mbedtls_psa_crypto_free();
+#endif
+
  DTLSServerMbedTLS::finalize();
  PacketPeerMbedDTLS::finalize_dtls();
  StreamPeerMbedTLS::finalize_tls();

diff --git a/thirdparty/mbedtls/include/godot_module_mbedtls_config.h b/thirdparty/mbedtls/include/godot_module_mbedtls_config.h
@@ -59,18 +59,6 @@
 // Disable deprecated
 #define MBEDTLS_DEPRECATED_REMOVED
 
-// mbedTLS 3.6 finally enabled TLSv1.3 by default, but it requires some mobule
-// changes, and to enable PSA crypto (new "standard" API specification).
-// Disable it for now.
-#undef MBEDTLS_SSL_PROTO_TLS1_3
-
-// Disable PSA Crypto.
-#undef MBEDTLS_PSA_CRYPTO_CONFIG
-#undef MBEDTLS_PSA_CRYPTO_C
-#undef MBEDTLS_PSA_CRYPTO_STORAGE_C
-#undef MBEDTLS_PSA_ITS_FILE_C
-#undef MBEDTLS_LMS_C
-
 #endif // GODOT_MBEDTLS_INCLUDE_H
 
 #endif // GODOT_MODULE_MBEDTLS_CONFIG_H