mbedTLS: disable weak crypto and TLS versions.

This commit adds a new mbedTLS configuration header to customize the
built-in library (and can be optionally replaced by a platform-specific
one).

Currently, it disables most weak cryptographic functions (with the
notable exceptions of MD5 and SHA-1), along with removing support for
TLS versions 1.0 and 1.1 (making TLSv1.2 the only supported one).

2 files changed, 4 insertions, 1 deletions

diff --git a/modules/mbedtls/SCsub b/modules/mbedtls/SCsub
index 9133fdef35..7c1204d2b7 100644
--- a/modules/mbedtls/SCsub
+++ b/modules/mbedtls/SCsub
@@ -100,10 +100,14 @@ if env["builtin_mbedtls"]:
     thirdparty_sources = [thirdparty_dir + file for file in thirdparty_sources]
 
     env_mbed_tls.Prepend(CPPPATH=["#thirdparty/mbedtls/include/"])
+    env_mbed_tls.Append(
+        CPPDEFINES=[("MBEDTLS_CONFIG_FILE", '\\"thirdparty/mbedtls/include/godot_module_mbedtls_config.h\\"')]
+    )
 
     env_thirdparty = env_mbed_tls.Clone()
     env_thirdparty.disable_warnings()
     env_thirdparty.add_source_files(thirdparty_obj, thirdparty_sources)
+    env_thirdparty.Depends(thirdparty_obj, "#thirdparty/mbedtls/include/godot_module_mbedtls_config.h")
     env.modules_sources += thirdparty_obj
 
 
diff --git a/modules/mbedtls/packet_peer_mbed_dtls.cpp b/modules/mbedtls/packet_peer_mbed_dtls.cpp
index e8eb32f88d..ed1a97cc2c 100644
--- a/modules/mbedtls/packet_peer_mbed_dtls.cpp
+++ b/modules/mbedtls/packet_peer_mbed_dtls.cpp
@@ -29,7 +29,6 @@
 /**************************************************************************/
 
 #include "packet_peer_mbed_dtls.h"
-#include "mbedtls/platform_util.h"
 
 #include "core/io/file_access.h"
 #include "core/io/stream_peer_tls.h"