summaryrefslogtreecommitdiffstats
path: root/modules/mbedtls
diff options
context:
space:
mode:
authorLyuma <xn.lyuma@gmail.com>2023-09-24 20:04:06 -0700
committerFabio Alessandrelli <fabio.alessandrelli@gmail.com>2024-04-10 21:19:22 +0200
commit40fa684c181d3138d8f86c70e5933fb0b3dcbac8 (patch)
tree4d104dfb95341e96ac2d98f9a9e3a85c5b7e55ca /modules/mbedtls
parent6c579280630715ff7da8310d405ef34194847294 (diff)
downloadredot-engine-40fa684c181d3138d8f86c70e5933fb0b3dcbac8.tar.gz
mbedTLS: Update to new LTS v3.6.0
Keep module compatibility with mbedtls 2.x (old LTS branch). A patch has been added to allow compiling after removing all the `psa_*` files from the library folder (will look into upstreaming it). Note: mbedTLS 3.6 finally enabled TLSv1.3 by default, but it requires some module changes, and to enable PSA crypto (new "standard" API specification), so it might be best done in a separate commit/PR.
Diffstat (limited to 'modules/mbedtls')
-rw-r--r--modules/mbedtls/SCsub32
-rw-r--r--modules/mbedtls/crypto_mbedtls.cpp46
-rw-r--r--modules/mbedtls/crypto_mbedtls.h2
-rw-r--r--modules/mbedtls/tls_context_mbedtls.h1
4 files changed, 60 insertions, 21 deletions
diff --git a/modules/mbedtls/SCsub b/modules/mbedtls/SCsub
index 04d26f9942..90ce98c751 100644
--- a/modules/mbedtls/SCsub
+++ b/modules/mbedtls/SCsub
@@ -12,24 +12,24 @@ thirdparty_obj = []
if env["builtin_mbedtls"]:
thirdparty_sources = [
"aes.c",
+ "aesce.c",
"aesni.c",
- "arc4.c",
"aria.c",
"asn1parse.c",
"asn1write.c",
"base64.c",
"bignum.c",
- "blowfish.c",
+ "bignum_core.c",
+ "bignum_mod_raw.c",
"camellia.c",
"ccm.c",
- "certs.c",
"chacha20.c",
"chachapoly.c",
"cipher.c",
"cipher_wrap.c",
"cmac.c",
- "ctr_drbg.c",
"constant_time.c",
+ "ctr_drbg.c",
"debug.c",
"des.c",
"dhm.c",
@@ -42,13 +42,10 @@ if env["builtin_mbedtls"]:
"entropy_poll.c",
"error.c",
"gcm.c",
- "havege.c",
"hkdf.c",
"hmac_drbg.c",
- "md2.c",
- "md4.c",
- "md5.c",
"md.c",
+ "md5.c",
"memory_buffer_alloc.c",
"mps_reader.c",
"mps_trace.c",
@@ -58,30 +55,37 @@ if env["builtin_mbedtls"]:
"padlock.c",
"pem.c",
"pk.c",
- "pkcs11.c",
+ "pk_ecc.c",
+ "pk_wrap.c",
"pkcs12.c",
"pkcs5.c",
+ "pkcs7.c",
"pkparse.c",
- "pk_wrap.c",
"pkwrite.c",
"platform.c",
"platform_util.c",
"poly1305.c",
"ripemd160.c",
"rsa.c",
- "rsa_internal.c",
+ "rsa_alt_helpers.c",
"sha1.c",
+ "sha3.c",
"sha256.c",
"sha512.c",
"ssl_cache.c",
"ssl_ciphersuites.c",
- "ssl_cli.c",
+ "ssl_client.c",
"ssl_cookie.c",
+ "ssl_debug_helpers_generated.c",
"ssl_msg.c",
- "ssl_srv.c",
"ssl_ticket.c",
"ssl_tls.c",
+ "ssl_tls12_client.c",
+ "ssl_tls12_server.c",
+ "ssl_tls13_client.c",
+ "ssl_tls13_generic.c",
"ssl_tls13_keys.c",
+ "ssl_tls13_server.c",
"threading.c",
"timing.c",
"version.c",
@@ -91,9 +95,9 @@ if env["builtin_mbedtls"]:
"x509_crl.c",
"x509_crt.c",
"x509_csr.c",
+ "x509write.c",
"x509write_crt.c",
"x509write_csr.c",
- "xtea.c",
]
thirdparty_dir = "#thirdparty/mbedtls/library/"
diff --git a/modules/mbedtls/crypto_mbedtls.cpp b/modules/mbedtls/crypto_mbedtls.cpp
index 859278d65e..e910627b32 100644
--- a/modules/mbedtls/crypto_mbedtls.cpp
+++ b/modules/mbedtls/crypto_mbedtls.cpp
@@ -69,7 +69,7 @@ Error CryptoKeyMbedTLS::load(const String &p_path, bool p_public_only) {
if (p_public_only) {
ret = mbedtls_pk_parse_public_key(&pkey, out.ptr(), out.size());
} else {
- ret = mbedtls_pk_parse_key(&pkey, out.ptr(), out.size(), nullptr, 0);
+ ret = _parse_key(out.ptr(), out.size());
}
// We MUST zeroize the memory for safety!
mbedtls_platform_zeroize(out.ptrw(), out.size());
@@ -108,7 +108,7 @@ Error CryptoKeyMbedTLS::load_from_string(const String &p_string_key, bool p_publ
if (p_public_only) {
ret = mbedtls_pk_parse_public_key(&pkey, (unsigned char *)p_string_key.utf8().get_data(), p_string_key.utf8().size());
} else {
- ret = mbedtls_pk_parse_key(&pkey, (unsigned char *)p_string_key.utf8().get_data(), p_string_key.utf8().size(), nullptr, 0);
+ ret = _parse_key((unsigned char *)p_string_key.utf8().get_data(), p_string_key.utf8().size());
}
ERR_FAIL_COND_V_MSG(ret, FAILED, "Error parsing key '" + itos(ret) + "'.");
@@ -134,6 +134,25 @@ String CryptoKeyMbedTLS::save_to_string(bool p_public_only) {
return s;
}
+int CryptoKeyMbedTLS::_parse_key(const uint8_t *p_buf, int p_size) {
+#if MBEDTLS_VERSION_MAJOR >= 3
+ mbedtls_entropy_context rng_entropy;
+ mbedtls_ctr_drbg_context rng_drbg;
+
+ mbedtls_ctr_drbg_init(&rng_drbg);
+ mbedtls_entropy_init(&rng_entropy);
+ int ret = mbedtls_ctr_drbg_seed(&rng_drbg, mbedtls_entropy_func, &rng_entropy, nullptr, 0);
+ ERR_FAIL_COND_V_MSG(ret != 0, ret, vformat("mbedtls_ctr_drbg_seed returned -0x%x\n", (unsigned int)-ret));
+
+ ret = mbedtls_pk_parse_key(&pkey, p_buf, p_size, nullptr, 0, mbedtls_ctr_drbg_random, &rng_drbg);
+ mbedtls_ctr_drbg_free(&rng_drbg);
+ mbedtls_entropy_free(&rng_entropy);
+ return ret;
+#else
+ return mbedtls_pk_parse_key(&pkey, p_buf, p_size, nullptr, 0);
+#endif
+}
+
X509Certificate *X509CertificateMbedTLS::create() {
return memnew(X509CertificateMbedTLS);
}
@@ -393,12 +412,17 @@ Ref<X509Certificate> CryptoMbedTLS::generate_self_signed_certificate(Ref<CryptoK
mbedtls_x509write_crt_set_version(&crt, MBEDTLS_X509_CRT_VERSION_3);
mbedtls_x509write_crt_set_md_alg(&crt, MBEDTLS_MD_SHA256);
+ uint8_t rand_serial[20];
+ mbedtls_ctr_drbg_random(&ctr_drbg, rand_serial, sizeof(rand_serial));
+
+#if MBEDTLS_VERSION_MAJOR >= 3
+ mbedtls_x509write_crt_set_serial_raw(&crt, rand_serial, sizeof(rand_serial));
+#else
mbedtls_mpi serial;
mbedtls_mpi_init(&serial);
- uint8_t rand_serial[20];
- mbedtls_ctr_drbg_random(&ctr_drbg, rand_serial, 20);
- ERR_FAIL_COND_V(mbedtls_mpi_read_binary(&serial, rand_serial, 20), nullptr);
+ ERR_FAIL_COND_V(mbedtls_mpi_read_binary(&serial, rand_serial, sizeof(rand_serial)), nullptr);
mbedtls_x509write_crt_set_serial(&crt, &serial);
+#endif
mbedtls_x509write_crt_set_validity(&crt, p_not_before.utf8().get_data(), p_not_after.utf8().get_data());
mbedtls_x509write_crt_set_basic_constraints(&crt, 1, -1);
@@ -407,7 +431,9 @@ Ref<X509Certificate> CryptoMbedTLS::generate_self_signed_certificate(Ref<CryptoK
unsigned char buf[4096];
memset(buf, 0, 4096);
int ret = mbedtls_x509write_crt_pem(&crt, buf, 4096, mbedtls_ctr_drbg_random, &ctr_drbg);
+#if MBEDTLS_VERSION_MAJOR < 3
mbedtls_mpi_free(&serial);
+#endif
mbedtls_x509write_crt_free(&crt);
ERR_FAIL_COND_V_MSG(ret != 0, nullptr, "Failed to generate certificate: " + itos(ret));
buf[4095] = '\0'; // Make sure strlen can't fail.
@@ -461,9 +487,17 @@ Vector<uint8_t> CryptoMbedTLS::sign(HashingContext::HashType p_hash_type, const
ERR_FAIL_COND_V_MSG(!key.is_valid(), Vector<uint8_t>(), "Invalid key provided.");
ERR_FAIL_COND_V_MSG(key->is_public_only(), Vector<uint8_t>(), "Invalid key provided. Cannot sign with public_only keys.");
size_t sig_size = 0;
+#if MBEDTLS_VERSION_MAJOR >= 3
+ unsigned char buf[MBEDTLS_PK_SIGNATURE_MAX_SIZE];
+#else
unsigned char buf[MBEDTLS_MPI_MAX_SIZE];
+#endif
Vector<uint8_t> out;
- int ret = mbedtls_pk_sign(&(key->pkey), type, p_hash.ptr(), size, buf, &sig_size, mbedtls_ctr_drbg_random, &ctr_drbg);
+ int ret = mbedtls_pk_sign(&(key->pkey), type, p_hash.ptr(), size, buf,
+#if MBEDTLS_VERSION_MAJOR >= 3
+ sizeof(buf),
+#endif
+ &sig_size, mbedtls_ctr_drbg_random, &ctr_drbg);
ERR_FAIL_COND_V_MSG(ret, out, "Error while signing: " + itos(ret));
out.resize(sig_size);
memcpy(out.ptrw(), buf, sig_size);
diff --git a/modules/mbedtls/crypto_mbedtls.h b/modules/mbedtls/crypto_mbedtls.h
index 60a413ed7c..52918cedf0 100644
--- a/modules/mbedtls/crypto_mbedtls.h
+++ b/modules/mbedtls/crypto_mbedtls.h
@@ -46,6 +46,8 @@ private:
int locks = 0;
bool public_only = true;
+ int _parse_key(const uint8_t *p_buf, int p_size);
+
public:
static CryptoKey *create();
static void make_default() { CryptoKey::_create = create; }
diff --git a/modules/mbedtls/tls_context_mbedtls.h b/modules/mbedtls/tls_context_mbedtls.h
index 29323688fb..b8a9e80b9f 100644
--- a/modules/mbedtls/tls_context_mbedtls.h
+++ b/modules/mbedtls/tls_context_mbedtls.h
@@ -36,7 +36,6 @@
#include "core/io/file_access.h"
#include "core/object/ref_counted.h"
-#include <mbedtls/config.h>
#include <mbedtls/ctr_drbg.h>
#include <mbedtls/debug.h>
#include <mbedtls/entropy.h>