godotengine · akien-mga · Sep 26, 2024 · Aug 31, 2024
@@ -12,7 +12,7 @@
 		[b]Note:[/b] When exporting to Android, make sure to enable the [code]INTERNET[/code] permission in the Android export preset before exporting the project or using one-click deploy. Otherwise, network communication of any kind will be blocked by Android.
 		[b]Note:[/b] It's recommended to use transport encryption (TLS) and to avoid sending sensitive information (such as login credentials) in HTTP GET URL parameters. Consider using HTTP POST requests or HTTP headers for such information instead.
 		[b]Note:[/b] When performing HTTP requests from a project exported to Web, keep in mind the remote server may not allow requests from foreign origins due to [url=https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS]CORS[/url]. If you host the server in question, you should modify its backend to allow requests from foreign origins by adding the [code]Access-Control-Allow-Origin: *[/code] HTTP header.
-		[b]Note:[/b] TLS support is currently limited to TLS 1.0, TLS 1.1, and TLS 1.2. Attempting to connect to a TLS 1.3-only server will return an error.
+		[b]Note:[/b] TLS support is currently limited to TLSv1.2 and TLSv1.3. Attempting to connect to a server that only supports older (insecure) TLS versions will return an error.
 		[b]Warning:[/b] TLS certificate revocation and certificate pinning are currently not supported. Revoked certificates are accepted as long as they are otherwise valid. If this is a concern, you may want to use automatically managed certificates with a short validity period.
 	</description>
 	<tutorials>

@@ -66,6 +66,22 @@ if env["builtin_mbedtls"]:
         "platform.c",
         "platform_util.c",
         "poly1305.c",
+        "psa_crypto.c",
+        "psa_crypto_aead.c",
+        "psa_crypto_cipher.c",
+        "psa_crypto_client.c",
+        "psa_crypto_driver_wrappers_no_static.c",
+        "psa_crypto_ecp.c",
+        "psa_crypto_ffdh.c",
+        "psa_crypto_hash.c",
+        "psa_crypto_mac.c",
+        "psa_crypto_pake.c",
+        "psa_crypto_rsa.c",
+        "psa_crypto_se.c",
+        "psa_crypto_slot_management.c",
+        "psa_crypto_storage.c",
+        "psa_its_file.c",
+        "psa_util.c",
         "ripemd160.c",
         "rsa.c",
         "rsa_alt_helpers.c",

@@ -314,10 +314,6 @@ Crypto *CryptoMbedTLS::create(bool p_notify_postinitialize) {
 }
 
 void CryptoMbedTLS::initialize_crypto() {
-#ifdef DEBUG_ENABLED
-	mbedtls_debug_set_threshold(1);
-#endif
-
 	Crypto::_create = create;
 	Crypto::_load_default_certificates = load_default_certificates;
 	X509CertificateMbedTLS::make_default();

@@ -35,15 +35,34 @@
 #include "packet_peer_mbed_dtls.h"
 #include "stream_peer_mbedtls.h"
 
+#if MBEDTLS_VERSION_MAJOR >= 3
+#include <psa/crypto.h>
+#endif
+
 #ifdef TESTS_ENABLED
 #include "tests/test_crypto_mbedtls.h"
 #endif
 
+static bool godot_mbedtls_initialized = false;
+
 void initialize_mbedtls_module(ModuleInitializationLevel p_level) {
 	if (p_level != MODULE_INITIALIZATION_LEVEL_SCENE) {
 		return;
 	}
 
+#if MBEDTLS_VERSION_MAJOR >= 3
+	int status = psa_crypto_init();
+	ERR_FAIL_COND_MSG(status != PSA_SUCCESS, "Failed to initialize psa crypto. The mbedTLS modules will not work.");
+#endif
+
+#ifdef DEBUG_ENABLED
+	if (OS::get_singleton()->is_stdout_verbose()) {
+		mbedtls_debug_set_threshold(1);
+	}
+#endif
+
+	godot_mbedtls_initialized = true;
+
 	CryptoMbedTLS::initialize_crypto();
 	StreamPeerMbedTLS::initialize_tls();
 	PacketPeerMbedDTLS::initialize_dtls();
@@ -55,6 +74,14 @@ void uninitialize_mbedtls_module(ModuleInitializationLevel p_level) {
 		return;
 	}
 
+	if (!godot_mbedtls_initialized) {
+		return;
+	}
+
+#if MBEDTLS_VERSION_MAJOR >= 3
+	mbedtls_psa_crypto_free();
+#endif
+
 	DTLSServerMbedTLS::finalize();
 	PacketPeerMbedDTLS::finalize_dtls();
 	StreamPeerMbedTLS::finalize_tls();

@@ -59,18 +59,6 @@
 // Disable deprecated
 #define MBEDTLS_DEPRECATED_REMOVED
 
-// mbedTLS 3.6 finally enabled TLSv1.3 by default, but it requires some mobule
-// changes, and to enable PSA crypto (new "standard" API specification).
-// Disable it for now.
-#undef MBEDTLS_SSL_PROTO_TLS1_3
-
-// Disable PSA Crypto.
-#undef MBEDTLS_PSA_CRYPTO_CONFIG
-#undef MBEDTLS_PSA_CRYPTO_C
-#undef MBEDTLS_PSA_CRYPTO_STORAGE_C
-#undef MBEDTLS_PSA_ITS_FILE_C
-#undef MBEDTLS_LMS_C
-
 #endif // GODOT_MBEDTLS_INCLUDE_H
 
 #endif // GODOT_MODULE_MBEDTLS_CONFIG_H