mbedtls: Backport Windows fix to use bcrypt for entropy

We had a slightly older version of it for UWP, as the wincrypt API isn't allowed there.
We removed this with UWP in #81416, but since this was enabled inconditionally before,
this actually changed behavior for Windows compared to Godot 4.1 and earlier.

This change is also needed to properly supported Windows Store.
This commit is contained in:
Rémi Verschelde 2023-10-27 10:25:50 +02:00
parent 09946f79bd
commit b9d008de3d
No known key found for this signature in database
GPG Key ID: C3336907360768E1
3 changed files with 76 additions and 18 deletions

View File

@ -480,7 +480,7 @@ in the MSVC debugger.
## mbedtls ## mbedtls
- Upstream: https://github.com/Mbed-TLS/mbedtls - Upstream: https://github.com/Mbed-TLS/mbedtls
- Version: 2.28.4 (aeb97a18913a86f051afab11b2c92c6be0c2eb83, 2023) - Version: 2.28.5 (47e8cc9db2e469d902b0e3093ae9e482c3d87188, 2023)
- License: Apache 2.0 - License: Apache 2.0
File extracted from upstream release tarball: File extracted from upstream release tarball:
@ -490,8 +490,8 @@ File extracted from upstream release tarball:
- All `.c` and `.h` from `library/` to `thirdparty/mbedtls/library/` except - All `.c` and `.h` from `library/` to `thirdparty/mbedtls/library/` except
those starting with `psa_*` those starting with `psa_*`
- The `LICENSE` file - The `LICENSE` file
- Applied the patch in `patches/windows-arm64-hardclock.diff` - Applied the patch `windows-arm64-hardclock.diff` to fix Windows ARM64 build
Applied the patch in `aesni-no-arm-intrinsics.patch` to fix MSVC ARM build Applied the patch `windows-entropy-bcrypt.diff` to fix Windows Store support
- Added 2 files `godot_core_mbedtls_platform.c` and `godot_core_mbedtls_config.h` - Added 2 files `godot_core_mbedtls_platform.c` and `godot_core_mbedtls_config.h`
providing configuration for light bundling with core providing configuration for light bundling with core
- Added the file `godot_module_mbedtls_config.h` to customize the build - Added the file `godot_module_mbedtls_config.h` to customize the build

View File

@ -51,31 +51,33 @@
#if defined(_WIN32) && !defined(EFIX64) && !defined(EFI32) #if defined(_WIN32) && !defined(EFIX64) && !defined(EFI32)
#if !defined(_WIN32_WINNT)
#define _WIN32_WINNT 0x0400
#endif
#include <windows.h> #include <windows.h>
#include <wincrypt.h> #include <bcrypt.h>
#include <intsafe.h>
int mbedtls_platform_entropy_poll(void *data, unsigned char *output, size_t len, int mbedtls_platform_entropy_poll(void *data, unsigned char *output, size_t len,
size_t *olen) size_t *olen)
{ {
HCRYPTPROV provider;
((void) data); ((void) data);
*olen = 0; *olen = 0;
if (CryptAcquireContext(&provider, NULL, NULL, /*
PROV_RSA_FULL, CRYPT_VERIFYCONTEXT) == FALSE) { * BCryptGenRandom takes ULONG for size, which is smaller than size_t on
return MBEDTLS_ERR_ENTROPY_SOURCE_FAILED; * 64-bit Windows platforms. Extract entropy in chunks of len (dependent
} * on ULONG_MAX) size.
*/
while (len != 0) {
unsigned long ulong_bytes =
(len > ULONG_MAX) ? ULONG_MAX : (unsigned long) len;
if (CryptGenRandom(provider, (DWORD) len, output) == FALSE) { if (!BCRYPT_SUCCESS(BCryptGenRandom(NULL, output, ulong_bytes,
CryptReleaseContext(provider, 0); BCRYPT_USE_SYSTEM_PREFERRED_RNG))) {
return MBEDTLS_ERR_ENTROPY_SOURCE_FAILED; return MBEDTLS_ERR_ENTROPY_SOURCE_FAILED;
} }
CryptReleaseContext(provider, 0); *olen += ulong_bytes;
*olen = len; len -= ulong_bytes;
}
return 0; return 0;
} }

View File

@ -0,0 +1,56 @@
Backported from: https://github.com/Mbed-TLS/mbedtls/pull/8047
diff --git a/thirdparty/mbedtls/library/entropy_poll.c b/thirdparty/mbedtls/library/entropy_poll.c
index 3420616a06..fec2abc2e4 100644
--- a/thirdparty/mbedtls/library/entropy_poll.c
+++ b/thirdparty/mbedtls/library/entropy_poll.c
@@ -51,32 +51,34 @@
#if defined(_WIN32) && !defined(EFIX64) && !defined(EFI32)
-#if !defined(_WIN32_WINNT)
-#define _WIN32_WINNT 0x0400
-#endif
#include <windows.h>
-#include <wincrypt.h>
+#include <bcrypt.h>
+#include <intsafe.h>
int mbedtls_platform_entropy_poll(void *data, unsigned char *output, size_t len,
size_t *olen)
{
- HCRYPTPROV provider;
((void) data);
*olen = 0;
- if (CryptAcquireContext(&provider, NULL, NULL,
- PROV_RSA_FULL, CRYPT_VERIFYCONTEXT) == FALSE) {
- return MBEDTLS_ERR_ENTROPY_SOURCE_FAILED;
- }
+ /*
+ * BCryptGenRandom takes ULONG for size, which is smaller than size_t on
+ * 64-bit Windows platforms. Extract entropy in chunks of len (dependent
+ * on ULONG_MAX) size.
+ */
+ while (len != 0) {
+ unsigned long ulong_bytes =
+ (len > ULONG_MAX) ? ULONG_MAX : (unsigned long) len;
+
+ if (!BCRYPT_SUCCESS(BCryptGenRandom(NULL, output, ulong_bytes,
+ BCRYPT_USE_SYSTEM_PREFERRED_RNG))) {
+ return MBEDTLS_ERR_ENTROPY_SOURCE_FAILED;
+ }
- if (CryptGenRandom(provider, (DWORD) len, output) == FALSE) {
- CryptReleaseContext(provider, 0);
- return MBEDTLS_ERR_ENTROPY_SOURCE_FAILED;
+ *olen += ulong_bytes;
+ len -= ulong_bytes;
}
- CryptReleaseContext(provider, 0);
- *olen = len;
-
return 0;
}
#else /* _WIN32 && !EFIX64 && !EFI32 */