Stowage/godot
2
0
Fork 0
mirror of https://github.com/godotengine/godot.git synced 2025-10-19 16:03:29 +00:00
Code Issues Projects Releases Packages Wiki Activity

Merge pull request #107501 from lawnjelly/3.6_cherrypicks_june_25

Browse source 
Cherry-picks for the 3.6 branch (future 3.6.1) - 2nd batch
This commit is contained in:
lawnjelly 2025-06-14 05:55:50 +01:00 committed by GitHub
commit ac8b19e5ab
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
32 changed files with 575 additions and 268 deletions
Download patch file Download diff file Expand all files Collapse all files

14
CHANGELOG.md
View file

@ -215,13 +215,13 @@ See the [release announcement](https://godotengine.org/article/godot-3-6-finally
- bullet updated to 3.25. - bullet updated to 3.25.
- Embree updated to version 3.13.5. - Embree updated to version 3.13.5.
- libpng updated to version 1.6.39. - libpng updated to version 1.6.43.
- libwebp updated to version 1.2.4. - libwebp updated to version 1.3.2.
- MbedTLS updated to version 2.28.2. - MbedTLS updated to version 2.28.8.
- miniupnpc updated to version 2.2.3. - miniupnpc updated to version 2.2.7.
- zlib/minizip updated to version 1.2.13. - zlib/minizip updated to version 1.3.1.
- zstd updated to version 1.5.2. - zstd updated to version 1.5.5.
- CA root certificates updated to 2022.10 bundle from Mozilla. - CA root certificates updated to 2024.03 bundle from Mozilla.
- SDL GameControllerDB updated to 2023-02-27 git snapshot. - SDL GameControllerDB updated to 2023-02-27 git snapshot.
#### XR #### XR

18
core/error_macros.h
View file

@ -77,15 +77,15 @@ struct ErrorHandlerList {
void add_error_handler(ErrorHandlerList *p_handler); void add_error_handler(ErrorHandlerList *p_handler);
void remove_error_handler(ErrorHandlerList *p_handler); void remove_error_handler(ErrorHandlerList *p_handler);
void _err_print_error(const char *p_function, const char *p_file, int p_line, const char *p_error, ErrorHandlerType p_type = ERR_HANDLER_ERROR); _NO_INLINE_ void _err_print_error(const char *p_function, const char *p_file, int p_line, const char *p_error, ErrorHandlerType p_type = ERR_HANDLER_ERROR);
void _err_print_error(const char *p_function, const char *p_file, int p_line, const String &p_error, ErrorHandlerType p_type = ERR_HANDLER_ERROR); _NO_INLINE_ void _err_print_error(const char *p_function, const char *p_file, int p_line, const String &p_error, ErrorHandlerType p_type = ERR_HANDLER_ERROR);
void _err_print_error(const char *p_function, const char *p_file, int p_line, const char *p_error, const char *p_message, ErrorHandlerType p_type = ERR_HANDLER_ERROR); _NO_INLINE_ void _err_print_error(const char *p_function, const char *p_file, int p_line, const char *p_error, const char *p_message, ErrorHandlerType p_type = ERR_HANDLER_ERROR);
void _err_print_error(const char *p_function, const char *p_file, int p_line, const String &p_error, const char *p_message, ErrorHandlerType p_type = ERR_HANDLER_ERROR); _NO_INLINE_ void _err_print_error(const char *p_function, const char *p_file, int p_line, const String &p_error, const char *p_message, ErrorHandlerType p_type = ERR_HANDLER_ERROR);
void _err_print_error(const char *p_function, const char *p_file, int p_line, const char *p_error, const String &p_message, ErrorHandlerType p_type = ERR_HANDLER_ERROR); _NO_INLINE_ void _err_print_error(const char *p_function, const char *p_file, int p_line, const char *p_error, const String &p_message, ErrorHandlerType p_type = ERR_HANDLER_ERROR);
void _err_print_error(const char *p_function, const char *p_file, int p_line, const String &p_error, const String &p_message, ErrorHandlerType p_type = ERR_HANDLER_ERROR); _NO_INLINE_ void _err_print_error(const char *p_function, const char *p_file, int p_line, const String &p_error, const String &p_message, ErrorHandlerType p_type = ERR_HANDLER_ERROR);
void _err_print_index_error(const char *p_function, const char *p_file, int p_line, int64_t p_index, int64_t p_size, const char *p_index_str, const char *p_size_str, const char *p_message = "", bool fatal = false); _NO_INLINE_ void _err_print_index_error(const char *p_function, const char *p_file, int p_line, int64_t p_index, int64_t p_size, const char *p_index_str, const char *p_size_str, const char *p_message = "", bool fatal = false);
void _err_print_index_error(const char *p_function, const char *p_file, int p_line, int64_t p_index, int64_t p_size, const char *p_index_str, const char *p_size_str, const String &p_message, bool fatal = false); _NO_INLINE_ void _err_print_index_error(const char *p_function, const char *p_file, int p_line, int64_t p_index, int64_t p_size, const char *p_index_str, const char *p_size_str, const String &p_message, bool fatal = false);
void _err_flush_stdout(); _NO_INLINE_ void _err_flush_stdout();
void _physics_interpolation_warning(const char *p_function, const char *p_file, int p_line, ObjectID p_id, const char *p_warn_string); void _physics_interpolation_warning(const char *p_function, const char *p_file, int p_line, ObjectID p_id, const char *p_warn_string);

14
core/typedefs.h
View file

@ -69,6 +69,20 @@
#endif #endif
// Should never inline.
#ifndef _NO_INLINE_
#if defined(__GNUC__) && (__GNUC__ >= 4)
#define _NO_INLINE_ __attribute__((noinline))
#elif defined(__llvm__)
#define _NO_INLINE_ __attribute__((noinline))
#elif defined(_MSC_VER)
#define _NO_INLINE_ __declspec(noinline)
#else
#define _NO_INLINE_
#endif
#endif
// No discard allows the compiler to flag warnings if we don't use the return value of functions / classes // No discard allows the compiler to flag warnings if we don't use the return value of functions / classes
#ifndef _NO_DISCARD_ #ifndef _NO_DISCARD_
// c++ 17 onwards // c++ 17 onwards

1
doc/classes/TextureProgress.xml
View file

@ -41,6 +41,7 @@
</member> </member>
<member name="radial_initial_angle" type="float" setter="set_radial_initial_angle" getter="get_radial_initial_angle" default="0.0"> <member name="radial_initial_angle" type="float" setter="set_radial_initial_angle" getter="get_radial_initial_angle" default="0.0">
Starting angle for the fill of [member texture_progress] if [member fill_mode] is [constant FILL_CLOCKWISE] or [constant FILL_COUNTER_CLOCKWISE]. When the node's [code]value[/code] is equal to its [code]min_value[/code], the texture doesn't show up at all. When the [code]value[/code] increases, the texture fills and tends towards [member radial_fill_degrees]. Starting angle for the fill of [member texture_progress] if [member fill_mode] is [constant FILL_CLOCKWISE] or [constant FILL_COUNTER_CLOCKWISE]. When the node's [code]value[/code] is equal to its [code]min_value[/code], the texture doesn't show up at all. When the [code]value[/code] increases, the texture fills and tends towards [member radial_fill_degrees].
[b]Note:[/b] [member radial_initial_angle] is wrapped between [code]0[/code] and [code]360[/code] degrees (inclusive).
</member> </member>
<member name="stretch_margin_bottom" type="int" setter="set_stretch_margin" getter="get_stretch_margin" default="0"> <member name="stretch_margin_bottom" type="int" setter="set_stretch_margin" getter="get_stretch_margin" default="0">
The height of the 9-patch's bottom row. A margin of 16 means the 9-slice's bottom corners and side will have a height of 16 pixels. You can set all 4 margin values individually to create panels with non-uniform borders. The height of the 9-patch's bottom row. A margin of 16 means the 9-slice's bottom corners and side will have a height of 16 pixels. You can set all 4 margin values individually to create panels with non-uniform borders.

3
drivers/pulseaudio/audio_driver_pulseaudio.cpp
View file

@ -708,7 +708,8 @@ Error AudioDriverPulseAudio::capture_init_device() {
int input_buffer_frames = closest_power_of_2(input_latency * mix_rate / 1000); int input_buffer_frames = closest_power_of_2(input_latency * mix_rate / 1000);
int input_buffer_size = input_buffer_frames * spec.channels; int input_buffer_size = input_buffer_frames * spec.channels;
pa_buffer_attr attr; pa_buffer_attr attr = {};
attr.maxlength = (uint32_t)-1;
attr.fragsize = input_buffer_size * sizeof(int16_t); attr.fragsize = input_buffer_size * sizeof(int16_t);
pa_rec_str = pa_stream_new(pa_ctx, "Record", &spec, &pa_rec_map); pa_rec_str = pa_stream_new(pa_ctx, "Record", &spec, &pa_rec_map);

2
editor/plugins/tile_set_editor_plugin.cpp
View file

@ -2457,6 +2457,7 @@ void TileSetEditor::_zoom_on_position(float p_zoom, const Vector2 &p_position) {
void TileSetEditor::draw_highlight_current_tile() { void TileSetEditor::draw_highlight_current_tile() {
Color shadow_color = Color(0.3, 0.3, 0.3, 0.3); Color shadow_color = Color(0.3, 0.3, 0.3, 0.3);
Color border_color_red = Color(1, 0.1, 0.1, 0.9);
if ((workspace_mode == WORKSPACE_EDIT && get_current_tile() >= 0) || !edited_region.has_no_area()) { if ((workspace_mode == WORKSPACE_EDIT && get_current_tile() >= 0) || !edited_region.has_no_area()) {
Rect2 region; Rect2 region;
if (edited_region.has_no_area()) { if (edited_region.has_no_area()) {
@ -2478,6 +2479,7 @@ void TileSetEditor::draw_highlight_current_tile() {
if (region.position.y + region.size.y <= workspace->get_rect().size.y) { if (region.position.y + region.size.y <= workspace->get_rect().size.y) {
workspace->draw_rect(Rect2(0, region.position.y + region.size.y, workspace->get_rect().size.x, workspace->get_rect().size.y - region.size.y - region.position.y), shadow_color); workspace->draw_rect(Rect2(0, region.position.y + region.size.y, workspace->get_rect().size.x, workspace->get_rect().size.y - region.size.y - region.position.y), shadow_color);
} }
workspace->draw_rect(region.grow_individual(1.0f, 0.0f, 0.0f, 1.0f), border_color_red, false, 2.0f);
} else { } else {
workspace->draw_rect(Rect2(Point2(0, 0), workspace->get_rect().size), shadow_color); workspace->draw_rect(Rect2(Point2(0, 0), workspace->get_rect().size), shadow_color);
} }

12
main/godotcontrollerdb.txt
View file

@ -6,6 +6,18 @@ __XINPUT_DEVICE__,XInput Gamepad,a:b12,b:b13,x:b14,y:b15,start:b4,back:b5,leftst
# Android # Android
Default Android Gamepad,Default Controller,leftx:a0,lefty:a1,dpdown:h0.4,rightstick:b8,rightshoulder:b10,rightx:a2,start:b6,righty:a3,dpleft:h0.8,lefttrigger:a4,x:b2,dpup:h0.1,back:b4,leftstick:b7,leftshoulder:b9,y:b3,a:b0,dpright:h0.2,righttrigger:a5,b:b1,platform:Android, Default Android Gamepad,Default Controller,leftx:a0,lefty:a1,dpdown:h0.4,rightstick:b8,rightshoulder:b10,rightx:a2,start:b6,righty:a3,dpleft:h0.8,lefttrigger:a4,x:b2,dpup:h0.1,back:b4,leftstick:b7,leftshoulder:b9,y:b3,a:b0,dpright:h0.2,righttrigger:a5,b:b1,platform:Android,
58626f7820576972656c65737320436f,Xbox Series X Controller,a:b0,b:b1,back:b4,misc1:b15,dpdown:b12,dpleft:b13,dpright:b14,dpup:b11,guide:b5,leftshoulder:b9,leftstick:b7,lefttrigger:+a4,leftx:a0,lefty:a1,rightshoulder:b10,rightstick:b8,righttrigger:+a5,rightx:a2,righty:a3,start:b6,x:b2,y:b3,platform:Android,
050000005e04000091020000ff073f00,Xbox One Controller,a:b0,b:b1,back:b4,misc1:b15,dpdown:b12,dpleft:b13,dpright:b14,dpup:b11,guide:b5,leftshoulder:b9,leftstick:b7,lefttrigger:+a4,leftx:a0,lefty:a1,rightshoulder:b10,rightstick:b8,righttrigger:+a5,rightx:a2,righty:a3,start:b6,x:b2,y:b3,platform:Android,
050000005e04000091020000ff073f80,Xbox One Controller,a:b0,b:b1,back:b4,misc1:b15,dpdown:b12,dpleft:b13,dpright:b14,dpup:b11,guide:b5,leftshoulder:b9,leftstick:b7,lefttrigger:+a4,leftx:a0,lefty:a1,rightshoulder:b10,rightstick:b8,righttrigger:+a5,rightx:a2,righty:a3,start:b6,x:b2,y:b3,platform:Android,
050000005e040000e00200000ffe3f00,Xbox One Controller,a:b0,b:b1,back:b4,misc1:b15,dpdown:b12,dpleft:b13,dpright:b14,dpup:b11,guide:b5,leftshoulder:b9,leftstick:b7,lefttrigger:+a4,leftx:a0,lefty:a1,rightshoulder:b10,rightstick:b8,righttrigger:+a5,rightx:a2,righty:a3,start:b6,x:b2,y:b3,platform:Android,
050000005e040000e00200000ffe3f80,Xbox One Controller,a:b0,b:b1,back:b4,misc1:b15,dpdown:b12,dpleft:b13,dpright:b14,dpup:b11,guide:b5,leftshoulder:b9,leftstick:b7,lefttrigger:+a4,leftx:a0,lefty:a1,rightshoulder:b10,rightstick:b8,righttrigger:+a5,rightx:a2,righty:a3,start:b6,x:b2,y:b3,platform:Android,
050000005e040000e0020000ffff3f00,Xbox One Controller,a:b0,b:b1,back:b4,misc1:b15,dpdown:b12,dpleft:b13,dpright:b14,dpup:b11,guide:b5,leftshoulder:b9,leftstick:b7,lefttrigger:+a4,leftx:a0,lefty:a1,rightshoulder:b10,rightstick:b8,righttrigger:+a5,rightx:a2,righty:a3,start:b6,x:b2,y:b3,platform:Android,
050000005e040000e0020000ffff3f80,Xbox One Controller,a:b0,b:b1,back:b4,misc1:b15,dpdown:b12,dpleft:b13,dpright:b14,dpup:b11,guide:b5,leftshoulder:b9,leftstick:b7,lefttrigger:+a4,leftx:a0,lefty:a1,rightshoulder:b10,rightstick:b8,righttrigger:+a5,rightx:a2,righty:a3,start:b6,x:b2,y:b3,platform:Android,
050000005e040000fd020000ffff3f00,Xbox One Controller,a:b0,b:b1,back:b4,misc1:b15,dpdown:b12,dpleft:b13,dpright:b14,dpup:b11,guide:b5,leftshoulder:b9,leftstick:b7,lefttrigger:+a4,leftx:a0,lefty:a1,rightshoulder:b10,rightstick:b8,righttrigger:+a5,rightx:a2,righty:a3,start:b6,x:b2,y:b3,platform:Android,
33356661323266333733373865656366,Xbox One Controller,a:b0,b:b1,back:b4,misc1:b15,dpdown:b12,dpleft:b13,dpright:b14,dpup:b11,guide:b5,leftshoulder:b9,leftstick:b7,lefttrigger:+a4,leftx:a0,lefty:a1,rightshoulder:b10,rightstick:b8,righttrigger:+a5,rightx:a2,righty:a3,start:b6,x:b2,y:b3,platform:Android,
34356136633366613530316338376136,Xbox One Controller,a:b0,b:b1,back:b4,misc1:b15,dpdown:b12,dpleft:b13,dpright:b14,dpup:b11,guide:b5,leftshoulder:b9,leftstick:b7,lefttrigger:+a4,leftx:a0,lefty:a1,rightshoulder:b10,rightstick:b8,righttrigger:+a5,rightx:a2,righty:a3,start:b6,x:b2,y:b3,platform:Android,
35623965373264386238353433656138,Xbox One Controller,a:b0,b:b1,back:b4,misc1:b15,dpdown:b12,dpleft:b13,dpright:b14,dpup:b11,guide:b5,leftshoulder:b9,leftstick:b7,lefttrigger:+a4,leftx:a0,lefty:a1,rightshoulder:b10,rightstick:b8,righttrigger:+a5,rightx:a2,righty:a3,start:b6,x:b2,y:b3,platform:Android,
36616131643361333337396261666433,Xbox One Controller,a:b0,b:b1,back:b4,misc1:b15,dpdown:b12,dpleft:b13,dpright:b14,dpup:b11,guide:b5,leftshoulder:b9,leftstick:b7,lefttrigger:+a4,leftx:a0,lefty:a1,rightshoulder:b10,rightstick:b8,righttrigger:+a5,rightx:a2,righty:a3,start:b6,x:b2,y:b3,platform:Android,
# Javascript # Javascript
standard,Standard Gamepad Mapping,leftx:a0,lefty:a1,rightx:a2,righty:a3,lefttrigger:b6,righttrigger:b7,a:b0,b:b1,x:b2,y:b3,leftshoulder:b4,rightshoulder:b5,back:b8,start:b9,leftstick:b10,rightstick:b11,dpup:b12,dpdown:b13,dpleft:b14,dpright:b15,guide:b16,leftstick:b10,rightstick:b11,platform:Javascript, standard,Standard Gamepad Mapping,leftx:a0,lefty:a1,rightx:a2,righty:a3,lefttrigger:b6,righttrigger:b7,a:b0,b:b1,x:b2,y:b3,leftshoulder:b4,rightshoulder:b5,back:b8,start:b9,leftstick:b10,rightstick:b11,dpup:b12,dpdown:b13,dpleft:b14,dpright:b15,guide:b16,leftstick:b10,rightstick:b11,platform:Javascript,

6
platform/android/java/lib/src/org/godotengine/godot/input/GodotInputHandler.java
View file

@ -408,6 +408,9 @@ public class GodotInputHandler implements InputManager.InputDeviceListener {
case KeyEvent.KEYCODE_BUTTON_SELECT: case KeyEvent.KEYCODE_BUTTON_SELECT:
button = 4; button = 4;
break; break;
case KeyEvent.KEYCODE_BUTTON_MODE: // Home/Xbox Button on Xbox controllers
button = 5;
break;
case KeyEvent.KEYCODE_BUTTON_START: case KeyEvent.KEYCODE_BUTTON_START:
button = 6; button = 6;
break; break;
@ -429,6 +432,9 @@ public class GodotInputHandler implements InputManager.InputDeviceListener {
case KeyEvent.KEYCODE_DPAD_RIGHT: case KeyEvent.KEYCODE_DPAD_RIGHT:
button = 14; button = 14;
break; break;
case KeyEvent.KEYCODE_MEDIA_RECORD: // Share Button on Xbox controllers
button = 15;
break;
case KeyEvent.KEYCODE_BUTTON_C: case KeyEvent.KEYCODE_BUTTON_C:
button = 17; button = 17;
break; break;

1
platform/windows/os_windows.cpp
View file

@ -58,6 +58,7 @@ static const WORD MAX_CONSOLE_LINES = 1500;
extern "C" { extern "C" {
__declspec(dllexport) DWORD NvOptimusEnablement = 1; __declspec(dllexport) DWORD NvOptimusEnablement = 1;
__declspec(dllexport) int AmdPowerXpressRequestHighPerformance = 1; __declspec(dllexport) int AmdPowerXpressRequestHighPerformance = 1;
__declspec(dllexport) void NoHotPatch() {} // Disable Nahimic code injection.
} }
// Workaround mingw-w64 < 4.0 bug // Workaround mingw-w64 < 4.0 bug

10
scene/gui/rich_text_label.cpp
View file

@ -1848,9 +1848,17 @@ void RichTextLabel::push_font(const Ref<Font> &p_font) {
ItemFont *item = memnew(ItemFont); ItemFont *item = memnew(ItemFont);
item->font = p_font; item->font = p_font;
item->owner = get_instance_id();
item->font->connect("changed", this, "_invalidate_fonts", Vector<Variant>(), CONNECT_REFERENCE_COUNTED);
_add_item(item, true); _add_item(item, true);
} }
void RichTextLabel::_invalidate_fonts() {
main->first_invalid_line = 0; //invalidate ALL
update();
}
void RichTextLabel::push_normal() { void RichTextLabel::push_normal() {
Ref<Font> normal_font = get_font("normal_font"); Ref<Font> normal_font = get_font("normal_font");
ERR_FAIL_COND(normal_font.is_null()); ERR_FAIL_COND(normal_font.is_null());
@ -2927,6 +2935,8 @@ void RichTextLabel::_bind_methods() {
ClassDB::bind_method(D_METHOD("get_effects"), &RichTextLabel::get_effects); ClassDB::bind_method(D_METHOD("get_effects"), &RichTextLabel::get_effects);
ClassDB::bind_method(D_METHOD("install_effect", "effect"), &RichTextLabel::install_effect); ClassDB::bind_method(D_METHOD("install_effect", "effect"), &RichTextLabel::install_effect);
ClassDB::bind_method(D_METHOD("_invalidate_fonts"), &RichTextLabel::_invalidate_fonts);
ADD_GROUP("BBCode", "bbcode_"); ADD_GROUP("BBCode", "bbcode_");
ADD_PROPERTY(PropertyInfo(Variant::BOOL, "bbcode_enabled"), "set_use_bbcode", "is_using_bbcode"); ADD_PROPERTY(PropertyInfo(Variant::BOOL, "bbcode_enabled"), "set_use_bbcode", "is_using_bbcode");
ADD_PROPERTY(PropertyInfo(Variant::STRING, "bbcode_text", PROPERTY_HINT_MULTILINE_TEXT), "set_bbcode", "get_bbcode"); ADD_PROPERTY(PropertyInfo(Variant::STRING, "bbcode_text", PROPERTY_HINT_MULTILINE_TEXT), "set_bbcode", "get_bbcode");

12
scene/gui/rich_text_label.h
View file

@ -164,7 +164,17 @@ private:
struct ItemFont : public Item { struct ItemFont : public Item {
Ref<Font> font; Ref<Font> font;
ObjectID owner;
ItemFont() { type = ITEM_FONT; } ItemFont() { type = ITEM_FONT; }
~ItemFont() {
if (font.is_valid()) {
RichTextLabel *owner_rtl = Object::cast_to<RichTextLabel>(ObjectDB::get_instance(owner));
if (owner_rtl) {
font->disconnect("changed", owner_rtl, "_invalidate_fonts");
}
}
}
}; };
struct ItemColor : public Item { struct ItemColor : public Item {
@ -348,6 +358,8 @@ private:
void _add_item(Item *p_item, bool p_enter = false, bool p_ensure_newline = false); void _add_item(Item *p_item, bool p_enter = false, bool p_ensure_newline = false);
void _remove_item(Item *p_item, const int p_line, const int p_subitem_line); void _remove_item(Item *p_item, const int p_line, const int p_subitem_line);
void _invalidate_fonts();
struct ProcessState { struct ProcessState {
int line_width; int line_width;
}; };

13
scene/gui/texture_progress.cpp
View file

@ -31,6 +31,7 @@
#include "texture_progress.h" #include "texture_progress.h"
#include "core/engine.h" #include "core/engine.h"
#include "math.h"
void TextureProgress::set_under_texture(const Ref<Texture> &p_texture) { void TextureProgress::set_under_texture(const Ref<Texture> &p_texture) {
under = p_texture; under = p_texture;
@ -510,7 +511,7 @@ void TextureProgress::_notification(int p_what) {
} }
// Draw a reference cross. // Draw a reference cross.
if (Engine::get_singleton()->is_editor_hint()) { if (Engine::get_singleton()->is_editor_hint() && is_inside_tree() && get_tree()->get_edited_scene_root() && get_tree()->get_edited_scene_root()->get_parent()->is_a_parent_of(this)) {
Point2 p; Point2 p;
if (nine_patch_stretch) { if (nine_patch_stretch) {
@ -577,12 +578,12 @@ int TextureProgress::get_fill_mode() {
} }
void TextureProgress::set_radial_initial_angle(float p_angle) { void TextureProgress::set_radial_initial_angle(float p_angle) {
while (p_angle > 360) { ERR_FAIL_COND_MSG(!isfinite(p_angle), "Angle is non-finite.");
p_angle -= 360;
} if (p_angle < 0.0 || p_angle > 360.0) {
while (p_angle < 0) { p_angle = Math::fposmod(p_angle, 360.0f);
p_angle += 360;
} }
rad_init_angle = p_angle; rad_init_angle = p_angle;
update(); update();
} }

1
scene/main/viewport.cpp
View file

@ -408,6 +408,7 @@ void Viewport::_notification(int p_what) {
gui.mouse_in_window = false; gui.mouse_in_window = false;
_drop_physics_mouseover(); _drop_physics_mouseover();
_drop_mouse_over(); _drop_mouse_over();
_gui_cancel_tooltip();
// When the mouse exits the window, we want to end mouse_over, but // When the mouse exits the window, we want to end mouse_over, but
// not mouse_focus, because, for example, we want to continue // not mouse_focus, because, for example, we want to continue
// dragging a scrollbar even if the mouse has left the window. // dragging a scrollbar even if the mouse has left the window.

6
thirdparty/README.md vendored
View file

@ -34,8 +34,8 @@ Files extracted from upstream source:
## certs ## certs
- Upstream: Mozilla, via https://github.com/bagder/ca-bundle - Upstream: Mozilla, via https://github.com/bagder/ca-bundle
- Version: git (4d3fe6683f651d96be1bbef316b201e9b33b274d, 2024), - Version: git (bcc414c5b5282f9321651bf71dc1e254ae87e3f8, 2025),
generated from mozilla-release changeset b8ea2342548b8571e58f9176d9555ccdb5ec199f generated from mozilla-release changeset 60d4997d339bb7ac6d033819ac50dcad4b9be09d
- License: MPL 2.0 - License: MPL 2.0
Files extracted from upstream source: Files extracted from upstream source:
@ -283,7 +283,7 @@ Files extracted from upstream source:
## mbedtls ## mbedtls
- Upstream: https://github.com/Mbed-TLS/mbedtls - Upstream: https://github.com/Mbed-TLS/mbedtls
- Version: 2.28.9 (5e146adef63b326b04282252639bebc2730939c6, 2024) - Version: 2.28.10 (2fc8413bfcb51354c8e679141b17b3f1a5942561, 2025)
- License: Apache 2.0 - License: Apache 2.0
File extracted from upstream release tarball: File extracted from upstream release tarball:

212
thirdparty/certs/ca-certificates.crt vendored
View file

@ -1,7 +1,7 @@
## ##
## Bundle of CA Root Certificates ## Bundle of CA Root Certificates
## ##
## Certificate data from Mozilla as of: Sat Oct 19 21:26:09 2024 GMT ## Certificate data from Mozilla as of: Tue Apr 8 09:28:30 2025 GMT
## ##
## Find updated versions here: https://curl.se/docs/caextract.html ## Find updated versions here: https://curl.se/docs/caextract.html
## ##
@ -16,7 +16,7 @@
## Just configure this file as the SSLCACertificateFile. ## Just configure this file as the SSLCACertificateFile.
## ##
## Conversion done with mk-ca-bundle.pl version 1.29. ## Conversion done with mk-ca-bundle.pl version 1.29.
## SHA256: 36105b01631f9fc03b1eca779b44a30a1a5890b9bf8dc07ccb001a07301e01cf ## SHA256: 620fd89c02acb0019f1899dab7907db5d20735904f5a9a0d3a8771a5857ac482
## ##
@ -371,37 +371,6 @@ NU0LbbqhPcCT4H8js1WtciVORvnSFu+wZMEBnunKoGqYDs/YYPIvSbjkQuE4NRb0yG5P94FW6Lqj
viOvrv1vA+ACOzB2+httQc8Bsem4yWb02ybzOqR08kkkW8mw0FfB+j564ZfJ viOvrv1vA+ACOzB2+httQc8Bsem4yWb02ybzOqR08kkkW8mw0FfB+j564ZfJ
-----END CERTIFICATE----- -----END CERTIFICATE-----
SwissSign Silver CA - G2
========================
-----BEGIN CERTIFICATE-----
MIIFvTCCA6WgAwIBAgIITxvUL1S7L0swDQYJKoZIhvcNAQEFBQAwRzELMAkGA1UEBhMCQ0gxFTAT
BgNVBAoTDFN3aXNzU2lnbiBBRzEhMB8GA1UEAxMYU3dpc3NTaWduIFNpbHZlciBDQSAtIEcyMB4X
DTA2MTAyNTA4MzI0NloXDTM2MTAyNTA4MzI0NlowRzELMAkGA1UEBhMCQ0gxFTATBgNVBAoTDFN3
aXNzU2lnbiBBRzEhMB8GA1UEAxMYU3dpc3NTaWduIFNpbHZlciBDQSAtIEcyMIICIjANBgkqhkiG
9w0BAQEFAAOCAg8AMIICCgKCAgEAxPGHf9N4Mfc4yfjDmUO8x/e8N+dOcbpLj6VzHVxumK4DV644
N0MvFz0fyM5oEMF4rhkDKxD6LHmD9ui5aLlV8gREpzn5/ASLHvGiTSf5YXu6t+WiE7brYT7QbNHm
+/pe7R20nqA1W6GSy/BJkv6FCgU+5tkL4k+73JU3/JHpMjUi0R86TieFnbAVlDLaYQ1HTWBCrpJH
6INaUFjpiou5XaHc3ZlKHzZnu0jkg7Y360g6rw9njxcH6ATK72oxh9TAtvmUcXtnZLi2kUpCe2Uu
MGoM9ZDulebyzYLs2aFK7PayS+VFheZteJMELpyCbTapxDFkH4aDCyr0NQp4yVXPQbBH6TCfmb5h
qAaEuSh6XzjZG6k4sIN/c8HDO0gqgg8hm7jMqDXDhBuDsz6+pJVpATqJAHgE2cn0mRmrVn5bi4Y5
FZGkECwJMoBgs5PAKrYYC51+jUnyEEp/+dVGLxmSo5mnJqy7jDzmDrxHB9xzUfFwZC8I+bRHHTBs
ROopN4WSaGa8gzj+ezku01DwH/teYLappvonQfGbGHLy9YR0SslnxFSuSGTfjNFusB3hB48IHpmc
celM2KX3RxIfdNFRnobzwqIjQAtz20um53MGjMGg6cFZrEb65i/4z3GcRm25xBWNOHkDRUjvxF3X
CO6HOSKGsg0PWEP3calILv3q1h8CAwEAAaOBrDCBqTAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/
BAUwAwEB/zAdBgNVHQ4EFgQUF6DNweRBtjpbO8tFnb0cwpj6hlgwHwYDVR0jBBgwFoAUF6DNweRB
tjpbO8tFnb0cwpj6hlgwRgYDVR0gBD8wPTA7BglghXQBWQEDAQEwLjAsBggrBgEFBQcCARYgaHR0
cDovL3JlcG9zaXRvcnkuc3dpc3NzaWduLmNvbS8wDQYJKoZIhvcNAQEFBQADggIBAHPGgeAn0i0P
4JUw4ppBf1AsX19iYamGamkYDHRJ1l2E6kFSGG9YrVBWIGrGvShpWJHckRE1qTodvBqlYJ7YH39F
kWnZfrt4csEGDyrOj4VwYaygzQu4OSlWhDJOhrs9xCrZ1x9y7v5RoSJBsXECYxqCsGKrXlcSH9/L
3XWgwF15kIwb4FDm3jH+mHtwX6WQ2K34ArZv02DdQEsixT2tOnqfGhpHkXkzuoLcMmkDlm4fS/Bx
/uNncqCxv1yL5PqZIseEuRuNI5c/7SXgz2W79WEE790eslpBIlqhn10s6FvJbakMDHiqYMZWjwFa
DGi8aRl5xB9+lwW/xekkUV7U1UtT7dkjWjYDZaPBA61BMPNGG4WQr2W11bHkFlt4dR2Xem1ZqSqP
e97Dh4kQmUlzeMg9vVE1dCrV8X5pGyq7O70luJpaPXJhkGaH7gzWTdQRdAtq/gsD/KNVV4n+Ssuu
WxcFyPKNIzFTONItaj+CuY0IavdeQXRuwxF+B6wpYJE/OMpXEA29MC/HpeZBoNquBYeaoKRlbEwJ
DIm6uNO5wJOKMPqN5ZprFQFOZ6raYlY+hAhm0sQ2fac+EPyI4NSA5QC9qvNOBqN6avlicuMJT+ub
DgEj8Z+7fNzcbBGXJbLytGMU0gYqZ4yD9c7qB9iaah7s5Aq7KkzrCWA5zspi2C5u
-----END CERTIFICATE-----
SecureTrust CA SecureTrust CA
============== ==============
-----BEGIN CERTIFICATE----- -----BEGIN CERTIFICATE-----
@ -584,27 +553,6 @@ NwUASZQDhETnv0Mxz3WLJdH0pmT1kvarBes96aULNmLazAZfNou2XjG4Kvte9nHfRCaexOYNkbQu
dZWAUWpLMKawYqGT8ZvYzsRjdT9ZR7E= dZWAUWpLMKawYqGT8ZvYzsRjdT9ZR7E=
-----END CERTIFICATE----- -----END CERTIFICATE-----
SecureSign RootCA11
===================
-----BEGIN CERTIFICATE-----
MIIDbTCCAlWgAwIBAgIBATANBgkqhkiG9w0BAQUFADBYMQswCQYDVQQGEwJKUDErMCkGA1UEChMi
SmFwYW4gQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcywgSW5jLjEcMBoGA1UEAxMTU2VjdXJlU2lnbiBS
b290Q0ExMTAeFw0wOTA0MDgwNDU2NDdaFw0yOTA0MDgwNDU2NDdaMFgxCzAJBgNVBAYTAkpQMSsw
KQYDVQQKEyJKYXBhbiBDZXJ0aWZpY2F0aW9uIFNlcnZpY2VzLCBJbmMuMRwwGgYDVQQDExNTZWN1
cmVTaWduIFJvb3RDQTExMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA/XeqpRyQBTvL
TJszi1oURaTnkBbR31fSIRCkF/3frNYfp+TbfPfs37gD2pRY/V1yfIw/XwFndBWW4wI8h9uuywGO
wvNmxoVF9ALGOrVisq/6nL+k5tSAMJjzDbaTj6nU2DbysPyKyiyhFTOVMdrAG/LuYpmGYz+/3ZMq
g6h2uRMft85OQoWPIucuGvKVCbIFtUROd6EgvanyTgp9UK31BQ1FT0Zx/Sg+U/sE2C3XZR1KG/rP
O7AxmjVuyIsG0wCR8pQIZUyxNAYAeoni8McDWc/V1uinMrPmmECGxc0nEovMe863ETxiYAcjPitA
bpSACW22s293bzUIUPsCh8U+iQIDAQABo0IwQDAdBgNVHQ4EFgQUW/hNT7KlhtQ60vFjmqC+CfZX
t94wDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAKCh
OBZmLqdWHyGcBvod7bkixTgm2E5P7KN/ed5GIaGHd48HCJqypMWvDzKYC3xmKbabfSVSSUOrTC4r
bnpwrxYO4wJs+0LmGJ1F2FXI6Dvd5+H0LgscNFxsWEr7jIhQX5Ucv+2rIrVls4W6ng+4reV6G4pQ
Oh29Dbx7VFALuUKvVaAYga1lme++5Jy/xIWrQbJUb9wlze144o4MjQlJ3WN7WmmWAiGovVJZ6X01
y8hSyn+B/tlr0/cR7SXf+Of5pPpyl4RTDaXQMhhRdlkUbA/r7F+AjHVDg8OFmP9Mni0N5HeDk061
lgeLKBObjBmNQSdJQO7e5iNEOdyhIta6A/I=
-----END CERTIFICATE-----
Microsec e-Szigno Root CA 2009 Microsec e-Szigno Root CA 2009
============================== ==============================
-----BEGIN CERTIFICATE----- -----BEGIN CERTIFICATE-----
@ -2319,40 +2267,6 @@ hcErulWuBurQB7Lcq9CClnXO0lD+mefPL5/ndtFhKvshuzHQqp9HpLIiyhY6UFfEW0NnxWViA0kB
dBb9HxEGmpv0 dBb9HxEGmpv0
-----END CERTIFICATE----- -----END CERTIFICATE-----
Entrust Root Certification Authority - G4
=========================================
-----BEGIN CERTIFICATE-----
MIIGSzCCBDOgAwIBAgIRANm1Q3+vqTkPAAAAAFVlrVgwDQYJKoZIhvcNAQELBQAwgb4xCzAJBgNV
BAYTAlVTMRYwFAYDVQQKEw1FbnRydXN0LCBJbmMuMSgwJgYDVQQLEx9TZWUgd3d3LmVudHJ1c3Qu
bmV0L2xlZ2FsLXRlcm1zMTkwNwYDVQQLEzAoYykgMjAxNSBFbnRydXN0LCBJbmMuIC0gZm9yIGF1
dGhvcml6ZWQgdXNlIG9ubHkxMjAwBgNVBAMTKUVudHJ1c3QgUm9vdCBDZXJ0aWZpY2F0aW9uIEF1
dGhvcml0eSAtIEc0MB4XDTE1MDUyNzExMTExNloXDTM3MTIyNzExNDExNlowgb4xCzAJBgNVBAYT
AlVTMRYwFAYDVQQKEw1FbnRydXN0LCBJbmMuMSgwJgYDVQQLEx9TZWUgd3d3LmVudHJ1c3QubmV0
L2xlZ2FsLXRlcm1zMTkwNwYDVQQLEzAoYykgMjAxNSBFbnRydXN0LCBJbmMuIC0gZm9yIGF1dGhv
cml6ZWQgdXNlIG9ubHkxMjAwBgNVBAMTKUVudHJ1c3QgUm9vdCBDZXJ0aWZpY2F0aW9uIEF1dGhv
cml0eSAtIEc0MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAsewsQu7i0TD/pZJH4i3D
umSXbcr3DbVZwbPLqGgZ2K+EbTBwXX7zLtJTmeH+H17ZSK9dE43b/2MzTdMAArzE+NEGCJR5WIoV
3imz/f3ET+iq4qA7ec2/a0My3dl0ELn39GjUu9CH1apLiipvKgS1sqbHoHrmSKvS0VnM1n4j5pds
8ELl3FFLFUHtSUrJ3hCX1nbB76W1NhSXNdh4IjVS70O92yfbYVaCNNzLiGAMC1rlLAHGVK/XqsEQ
e9IFWrhAnoanw5CGAlZSCXqc0ieCU0plUmr1POeo8pyvi73TDtTUXm6Hnmo9RR3RXRv06QqsYJn7
ibT/mCzPfB3pAqoEmh643IhuJbNsZvc8kPNXwbMv9W3y+8qh+CmdRouzavbmZwe+LGcKKh9asj5X
xNMhIWNlUpEbsZmOeX7m640A2Vqq6nPopIICR5b+W45UYaPrL0swsIsjdXJ8ITzI9vF01Bx7owVV
7rtNOzK+mndmnqxpkCIHH2E6lr7lmk/MBTwoWdPBDFSoWWG9yHJM6Nyfh3+9nEg2XpWjDrk4JFX8
dWbrAuMINClKxuMrLzOg2qOGpRKX/YAr2hRC45K9PvJdXmd0LhyIRyk0X+IyqJwlN4y6mACXi0mW
Hv0liqzc2thddG5msP9E36EYxr5ILzeUePiVSj9/E15dWf10hkNjc0kCAwEAAaNCMEAwDwYDVR0T
AQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFJ84xFYjwznooHFs6FRM5Og6sb9n
MA0GCSqGSIb3DQEBCwUAA4ICAQAS5UKme4sPDORGpbZgQIeMJX6tuGguW8ZAdjwD+MlZ9POrYs4Q
jbRaZIxowLByQzTSGwv2LFPSypBLhmb8qoMi9IsabyZIrHZ3CL/FmFz0Jomee8O5ZDIBf9PD3Vht
7LGrhFV0d4QEJ1JrhkzO3bll/9bGXp+aEJlLdWr+aumXIOTkdnrG0CSqkM0gkLpHZPt/B7NTeLUK
YvJzQ85BK4FqLoUWlFPUa19yIqtRLULVAJyZv967lDtX/Zr1hstWO1uIAeV8KEsD+UmDfLJ/fOPt
jqF/YFOOVZ1QNBIPt5d7bIdKROf1beyAN/BYGW5KaHbwH5Lk6rWS02FREAutp9lfx1/cH6NcjKF+
m7ee01ZvZl4HliDtC3T7Zk6LERXpgUl+b7DUUH8i119lAg2m9IUe2K4GS0qn0jFmwvjO5QimpAKW
RGhXxNUzzxkvFMSUHHuk2fCfDrGA4tGeEWSpiBE6doLlYsKA2KSD7ZPvfC+QsDJMlhVoSFLUmQjA
JOgc47OlIQ6SwJAfzyBfyjs4x7dtOvPmRLgOMWuIjnDrnBdSqEGULoe256YSxXXfW8AKbnuk5F6G
+TaU33fD6Q3AOfF5u0aOq0NZJ7cguyPpVkAh7DE9ZapD8j3fcEThuk0mEDuYn/PIjhs4ViFqUZPT
kcpG2om3PVODLAgfi49T3f+sHw==
-----END CERTIFICATE-----
Microsoft ECC Root Certificate Authority 2017 Microsoft ECC Root Certificate Authority 2017
============================================= =============================================
-----BEGIN CERTIFICATE----- -----BEGIN CERTIFICATE-----
@ -2602,6 +2516,36 @@ vLtoURMMA/cVi4RguYv/Uo7njLwcAjA8+RHUjE7AwWHCFUyqqx0LMV87HOIAl0Qx5v5zli/altP+
CAezNIm8BZ/3Hobui3A= CAezNIm8BZ/3Hobui3A=
-----END CERTIFICATE----- -----END CERTIFICATE-----
GLOBALTRUST 2020
================
-----BEGIN CERTIFICATE-----
MIIFgjCCA2qgAwIBAgILWku9WvtPilv6ZeUwDQYJKoZIhvcNAQELBQAwTTELMAkGA1UEBhMCQVQx
IzAhBgNVBAoTGmUtY29tbWVyY2UgbW9uaXRvcmluZyBHbWJIMRkwFwYDVQQDExBHTE9CQUxUUlVT
VCAyMDIwMB4XDTIwMDIxMDAwMDAwMFoXDTQwMDYxMDAwMDAwMFowTTELMAkGA1UEBhMCQVQxIzAh
BgNVBAoTGmUtY29tbWVyY2UgbW9uaXRvcmluZyBHbWJIMRkwFwYDVQQDExBHTE9CQUxUUlVTVCAy
MDIwMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAri5WrRsc7/aVj6B3GyvTY4+ETUWi
D59bRatZe1E0+eyLinjF3WuvvcTfk0Uev5E4C64OFudBc/jbu9G4UeDLgztzOG53ig9ZYybNpyrO
VPu44sB8R85gfD+yc/LAGbaKkoc1DZAoouQVBGM+uq/ufF7MpotQsjj3QWPKzv9pj2gOlTblzLmM
CcpL3TGQlsjMH/1WljTbjhzqLL6FLmPdqqmV0/0plRPwyJiT2S0WR5ARg6I6IqIoV6Lr/sCMKKCm
fecqQjuCgGOlYx8ZzHyyZqjC0203b+J+BlHZRYQfEs4kUmSFC0iAToexIiIwquuuvuAC4EDosEKA
A1GqtH6qRNdDYfOiaxaJSaSjpCuKAsR49GiKweR6NrFvG5Ybd0mN1MkGco/PU+PcF4UgStyYJ9OR
JitHHmkHr96i5OTUawuzXnzUJIBHKWk7buis/UDr2O1xcSvy6Fgd60GXIsUf1DnQJ4+H4xj04KlG
DfV0OoIu0G4skaMxXDtG6nsEEFZegB31pWXogvziB4xiRfUg3kZwhqG8k9MedKZssCz3AwyIDMvU
clOGvGBG85hqwvG/Q/lwIHfKN0F5VVJjjVsSn8VoxIidrPIwq7ejMZdnrY8XD2zHc+0klGvIg5rQ
mjdJBKuxFshsSUktq6HQjJLyQUp5ISXbY9e2nKd+Qmn7OmMCAwEAAaNjMGEwDwYDVR0TAQH/BAUw
AwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFNwuH9FhN3nkq9XVsxJxaD1qaJwiMB8GA1Ud
IwQYMBaAFNwuH9FhN3nkq9XVsxJxaD1qaJwiMA0GCSqGSIb3DQEBCwUAA4ICAQCR8EICaEDuw2jA
VC/f7GLDw56KoDEoqoOOpFaWEhCGVrqXctJUMHytGdUdaG/7FELYjQ7ztdGl4wJCXtzoRlgHNQIw
4Lx0SsFDKv/bGtCwr2zD/cuz9X9tAy5ZVp0tLTWMstZDFyySCstd6IwPS3BD0IL/qMy/pJTAvoe9
iuOTe8aPmxadJ2W8esVCgmxcB9CpwYhgROmYhRZf+I/KARDOJcP5YBugxZfD0yyIMaK9MOzQ0MAS
8cE54+X1+NZK3TTN+2/BT+MAi1bikvcoskJ3ciNnxz8RFbLEAwW+uxF7Cr+obuf/WEPPm2eggAe2
HcqtbepBEX4tdJP7wry+UUTF72glJ4DjyKDUEuzZpTcdN3y0kcra1LGWge9oXHYQSa9+pTeAsRxS
vTOBTI/53WXZFM2KJVj04sWDpQmQ1GwUY7VA3+vA/MRYfg0UFodUJ25W5HCEuGwyEn6CMUO+1918
oa2u1qsgEu8KwxCMSZY13At1XrFP1U80DhEgB3VDRemjEdqso5nCtnkn4rnvyOL2NSl6dPrFf4IF
YqYK6miyeUcGbvJXqBUzxvd4Sj1Ce2t+/vdG6tHrju+IaFvowdlxfv1k7/9nR4hYJS8+hge9+6jl
gqispdNpQ80xiEmEU5LAsTkbOYMBMMTyqfrQA71yN2BWHzZ8vTmR9W0Nv3vXkg==
-----END CERTIFICATE-----
ANF Secure Server Root CA ANF Secure Server Root CA
========================= =========================
-----BEGIN CERTIFICATE----- -----BEGIN CERTIFICATE-----
@ -3140,36 +3084,6 @@ AwMDaAAwZQIxALGOWiDDshliTd6wT99u0nCK8Z9+aozmut6Dacpps6kFtZaSF4fC0urQe87YQVt8
rgIwRt7qy12a7DLCZRawTDBcMPPaTnOGBtjOiQRINzf43TNRnXCve1XYAS59BWQOhriR rgIwRt7qy12a7DLCZRawTDBcMPPaTnOGBtjOiQRINzf43TNRnXCve1XYAS59BWQOhriR
-----END CERTIFICATE----- -----END CERTIFICATE-----
Security Communication RootCA3
==============================
-----BEGIN CERTIFICATE-----
MIIFfzCCA2egAwIBAgIJAOF8N0D9G/5nMA0GCSqGSIb3DQEBDAUAMF0xCzAJBgNVBAYTAkpQMSUw
IwYDVQQKExxTRUNPTSBUcnVzdCBTeXN0ZW1zIENPLixMVEQuMScwJQYDVQQDEx5TZWN1cml0eSBD
b21tdW5pY2F0aW9uIFJvb3RDQTMwHhcNMTYwNjE2MDYxNzE2WhcNMzgwMTE4MDYxNzE2WjBdMQsw
CQYDVQQGEwJKUDElMCMGA1UEChMcU0VDT00gVHJ1c3QgU3lzdGVtcyBDTy4sTFRELjEnMCUGA1UE
AxMeU2VjdXJpdHkgQ29tbXVuaWNhdGlvbiBSb290Q0EzMIICIjANBgkqhkiG9w0BAQEFAAOCAg8A
MIICCgKCAgEA48lySfcw3gl8qUCBWNO0Ot26YQ+TUG5pPDXC7ltzkBtnTCHsXzW7OT4rCmDvu20r
hvtxosis5FaU+cmvsXLUIKx00rgVrVH+hXShuRD+BYD5UpOzQD11EKzAlrenfna84xtSGc4RHwsE
NPXY9Wk8d/Nk9A2qhd7gCVAEF5aEt8iKvE1y/By7z/MGTfmfZPd+pmaGNXHIEYBMwXFAWB6+oHP2
/D5Q4eAvJj1+XCO1eXDe+uDRpdYMQXF79+qMHIjH7Iv10S9VlkZ8WjtYO/u62C21Jdp6Ts9EriGm
npjKIG58u4iFW/vAEGK78vknR+/RiTlDxN/e4UG/VHMgly1s2vPUB6PmudhvrvyMGS7TZ2crldtY
XLVqAvO4g160a75BflcJdURQVc1aEWEhCmHCqYj9E7wtiS/NYeCVvsq1e+F7NGcLH7YMx3weGVPK
p7FKFSBWFHA9K4IsD50VHUeAR/94mQ4xr28+j+2GaR57GIgUssL8gjMunEst+3A7caoreyYn8xrC
3PsXuKHqy6C0rtOUfnrQq8PsOC0RLoi/1D+tEjtCrI8Cbn3M0V9hvqG8OmpI6iZVIhZdXw3/JzOf
GAN0iltSIEdrRU0id4xVJ/CvHozJgyJUt5rQT9nO/NkuHJYosQLTA70lUhw0Zk8jq/R3gpYd0Vcw
CBEF/VfR2ccCAwEAAaNCMEAwHQYDVR0OBBYEFGQUfPxYchamCik0FW8qy7z8r6irMA4GA1UdDwEB
/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDAUAA4ICAQDcAiMI4u8hOscNtybS
YpOnpSNyByCCYN8Y11StaSWSntkUz5m5UoHPrmyKO1o5yGwBQ8IibQLwYs1OY0PAFNr0Y/Dq9HHu
Tofjcan0yVflLl8cebsjqodEV+m9NU1Bu0soo5iyG9kLFwfl9+qd9XbXv8S2gVj/yP9kaWJ5rW4O
H3/uHWnlt3Jxs/6lATWUVCvAUm2PVcTJ0rjLyjQIUYWg9by0F1jqClx6vWPGOi//lkkZhOpn2ASx
YfQAW0q3nHE3GYV5v4GwxxMOdnE+OoAGrgYWp421wsTL/0ClXI2lyTrtcoHKXJg80jQDdwj98ClZ
XSEIx2C/pHF7uNkegr4Jr2VvKKu/S7XuPghHJ6APbw+LP6yVGPO5DtxnVW5inkYO0QR4ynKudtml
+LLfiAlhi+8kTtFZP1rUPcmTPCtk9YENFpb3ksP+MW/oKjJ0DvRMmEoYDjBU1cXrvMUVnuiZIesn
KwkK2/HmcBhWuwzkvvnoEKQTkrgc4NtnHVMDpCKn3F2SEDzq//wbEBrD2NCcnWXL0CsnMQMeNuE9
dnUM/0Umud1RvCPHX9jYhxBAEg09ODfnRDwYwFMJZI//1ZqmfHAuc1Uh6N//g7kdPjIe1qZ9LPFm
6Vwdp6POXiUyK+OVrCoHzrQoeIY8LaadTdJ0MN1kURXbg4NR16/9M51NZg==
-----END CERTIFICATE-----
Security Communication ECC RootCA1 Security Communication ECC RootCA1
================================== ==================================
-----BEGIN CERTIFICATE----- -----BEGIN CERTIFICATE-----
@ -3664,3 +3578,65 @@ AgEGMB0GA1UdDgQWBBTrQciu/NWeUUj1vYv0hyCTQSvT9DAKBggqhkjOPQQDAwNoADBlAjEA2S6J
fl5OpBEHvVnCB96rMjhTKkZEBhd6zlHp4P9mLQlO4E/0BdGF9jVg3PVys0Z9AjBEmEYagoUeYWmJ fl5OpBEHvVnCB96rMjhTKkZEBhd6zlHp4P9mLQlO4E/0BdGF9jVg3PVys0Z9AjBEmEYagoUeYWmJ
SwdLZrWeqrqgHkHZAXQ6bkU6iYAZezKYVWOr62Nuk22rGwlgMU4= SwdLZrWeqrqgHkHZAXQ6bkU6iYAZezKYVWOr62Nuk22rGwlgMU4=
-----END CERTIFICATE----- -----END CERTIFICATE-----
D-TRUST BR Root CA 2 2023
=========================
-----BEGIN CERTIFICATE-----
MIIFqTCCA5GgAwIBAgIQczswBEhb2U14LnNLyaHcZjANBgkqhkiG9w0BAQ0FADBIMQswCQYDVQQG
EwJERTEVMBMGA1UEChMMRC1UcnVzdCBHbWJIMSIwIAYDVQQDExlELVRSVVNUIEJSIFJvb3QgQ0Eg
MiAyMDIzMB4XDTIzMDUwOTA4NTYzMVoXDTM4MDUwOTA4NTYzMFowSDELMAkGA1UEBhMCREUxFTAT
BgNVBAoTDEQtVHJ1c3QgR21iSDEiMCAGA1UEAxMZRC1UUlVTVCBCUiBSb290IENBIDIgMjAyMzCC
AiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK7/CVmRgApKaOYkP7in5Mg6CjoWzckjYaCT
cfKri3OPoGdlYNJUa2NRb0kz4HIHE304zQaSBylSa053bATTlfrdTIzZXcFhfUvnKLNEgXtRr90z
sWh81k5M/itoucpmacTsXld/9w3HnDY25QdgrMBM6ghs7wZ8T1soegj8k12b9py0i4a6Ibn08OhZ
WiihNIQaJZG2tY/vsvmA+vk9PBFy2OMvhnbFeSzBqZCTRphny4NqoFAjpzv2gTng7fC5v2Xx2Mt6
++9zA84A9H3X4F07ZrjcjrqDy4d2A/wl2ecjbwb9Z/Pg/4S8R7+1FhhGaRTMBffb00msa8yr5LUL
QyReS2tNZ9/WtT5PeB+UcSTq3nD88ZP+npNa5JRal1QMNXtfbO4AHyTsA7oC9Xb0n9Sa7YUsOCIv
x9gvdhFP/Wxc6PWOJ4d/GUohR5AdeY0cW/jPSoXk7bNbjb7EZChdQcRurDhaTyN0dKkSw/bSuREV
MweR2Ds3OmMwBtHFIjYoYiMQ4EbMl6zWK11kJNXuHA7e+whadSr2Y23OC0K+0bpwHJwh5Q8xaRfX
/Aq03u2AnMuStIv13lmiWAmlY0cL4UEyNEHZmrHZqLAbWt4NDfTisl01gLmB1IRpkQLLddCNxbU9
CZEJjxShFHR5PtbJFR2kWVki3PaKRT08EtY+XTIvAgMBAAGjgY4wgYswDwYDVR0TAQH/BAUwAwEB
/zAdBgNVHQ4EFgQUZ5Dw1t61GNVGKX5cq/ieCLxklRAwDgYDVR0PAQH/BAQDAgEGMEkGA1UdHwRC
MEAwPqA8oDqGOGh0dHA6Ly9jcmwuZC10cnVzdC5uZXQvY3JsL2QtdHJ1c3RfYnJfcm9vdF9jYV8y
XzIwMjMuY3JsMA0GCSqGSIb3DQEBDQUAA4ICAQA097N3U9swFrktpSHxQCF16+tIFoE9c+CeJyrr
d6kTpGoKWloUMz1oH4Guaf2Mn2VsNELZLdB/eBaxOqwjMa1ef67nriv6uvw8l5VAk1/DLQOj7aRv
U9f6QA4w9QAgLABMjDu0ox+2v5Eyq6+SmNMW5tTRVFxDWy6u71cqqLRvpO8NVhTaIasgdp4D/Ca4
nj8+AybmTNudX0KEPUUDAxxZiMrcLmEkWqTqJwtzEr5SswrPMhfiHocaFpVIbVrg0M8JkiZmkdij
YQ6qgYF/6FKC0ULn4B0Y+qSFNueG4A3rvNTJ1jxD8V1Jbn6Bm2m1iWKPiFLY1/4nwSPFyysCu7Ff
/vtDhQNGvl3GyiEm/9cCnnRK3PgTFbGBVzbLZVzRHTF36SXDw7IyN9XxmAnkbWOACKsGkoHU6XCP
pz+y7YaMgmo1yEJagtFSGkUPFaUA8JR7ZSdXOUPPfH/mvTWze/EZTN46ls/pdu4D58JDUjxqgejB
WoC9EV2Ta/vH5mQ/u2kc6d0li690yVRAysuTEwrt+2aSEcr1wPrYg1UDfNPFIkZ1cGt5SAYqgpq/
5usWDiJFAbzdNpQ0qTUmiteXue4Icr80knCDgKs4qllo3UCkGJCy89UDyibK79XH4I9TjvAA46jt
n/mtd+ArY0+ew+43u3gJhJ65bvspmZDogNOfJA==
-----END CERTIFICATE-----
D-TRUST EV Root CA 2 2023
=========================
-----BEGIN CERTIFICATE-----
MIIFqTCCA5GgAwIBAgIQaSYJfoBLTKCnjHhiU19abzANBgkqhkiG9w0BAQ0FADBIMQswCQYDVQQG
EwJERTEVMBMGA1UEChMMRC1UcnVzdCBHbWJIMSIwIAYDVQQDExlELVRSVVNUIEVWIFJvb3QgQ0Eg
MiAyMDIzMB4XDTIzMDUwOTA5MTAzM1oXDTM4MDUwOTA5MTAzMlowSDELMAkGA1UEBhMCREUxFTAT
BgNVBAoTDEQtVHJ1c3QgR21iSDEiMCAGA1UEAxMZRC1UUlVTVCBFViBSb290IENBIDIgMjAyMzCC
AiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBANiOo4mAC7JXUtypU0w3uX9jFxPvp1sjW2l1
sJkKF8GLxNuo4MwxusLyzV3pt/gdr2rElYfXR8mV2IIEUD2BCP/kPbOx1sWy/YgJ25yE7CUXFId/
MHibaljJtnMoPDT3mfd/06b4HEV8rSyMlD/YZxBTfiLNTiVR8CUkNRFeEMbsh2aJgWi6zCudR3Mf
vc2RpHJqnKIbGKBv7FD0fUDCqDDPvXPIEysQEx6Lmqg6lHPTGGkKSv/BAQP/eX+1SH977ugpbzZM
lWGG2Pmic4ruri+W7mjNPU0oQvlFKzIbRlUWaqZLKfm7lVa/Rh3sHZMdwGWyH6FDrlaeoLGPaxK3
YG14C8qKXO0elg6DpkiVjTujIcSuWMYAsoS0I6SWhjW42J7YrDRJmGOVxcttSEfi8i4YHtAxq910
7PncjLgcjmgjutDzUNzPZY9zOjLHfP7KgiJPvo5iR2blzYfi6NUPGJ/lBHJLRjwQ8kTCZFZxTnXo
nMkmdMV9WdEKWw9t/p51HBjGGjp82A0EzM23RWV6sY+4roRIPrN6TagD4uJ+ARZZaBhDM7DS3LAa
QzXupdqpRlyuhoFBAUp0JuyfBr/CBTdkdXgpaP3F9ev+R/nkhbDhezGdpn9yo7nELC7MmVcOIQxF
AZRl62UJxmMiCzNJkkg8/M3OsD6Onov4/knFNXJHAgMBAAGjgY4wgYswDwYDVR0TAQH/BAUwAwEB
/zAdBgNVHQ4EFgQUqvyREBuHkV8Wub9PS5FeAByxMoAwDgYDVR0PAQH/BAQDAgEGMEkGA1UdHwRC
MEAwPqA8oDqGOGh0dHA6Ly9jcmwuZC10cnVzdC5uZXQvY3JsL2QtdHJ1c3RfZXZfcm9vdF9jYV8y
XzIwMjMuY3JsMA0GCSqGSIb3DQEBDQUAA4ICAQCTy6UfmRHsmg1fLBWTxj++EI14QvBukEdHjqOS
Mo1wj/Zbjb6JzkcBahsgIIlbyIIQbODnmaprxiqgYzWRaoUlrRc4pZt+UPJ26oUFKidBK7GB0aL2
QHWpDsvxVUjY7NHss+jOFKE17MJeNRqrphYBBo7q3C+jisosketSjl8MmxfPy3MHGcRqwnNU73xD
UmPBEcrCRbH0O1P1aa4846XerOhUt7KR/aypH/KH5BfGSah82ApB9PI+53c0BFLd6IHyTS9URZ0V
4U/M5d40VxDJI3IXcI1QcB9WbMy5/zpaT2N6w25lBx2Eof+pDGOJbbJAiDnXH3dotfyc1dZnaVuo
dNv8ifYbMvekJKZ2t0dT741Jj6m2g1qllpBFYfXeA08mD6iL8AOWsKwV0HFaanuU5nCT2vFp4LJi
TZ6P/4mdm13NRemUAiKN4DV/6PEEeXFsVIP4M7kFMhtYVRFP0OUnR3Hs7dpn1mKmS00PaaLJvOwi
S5THaJQXfuKOKD62xur1NGyfN4gHONuGcfrNlUhDbqNPgofXNJhuS5N5YHVpD/Aa1VP6IQzCP+k/
HxiMkl14p3ZnGbuy6n/pcAlWVqOwDAstNl7F6cTVg8uGF5csbBNvh1qvSaYd2804BC5f4ko1Di1L
+KIkBI3Y4WNeApI02phhXBxvWHZks/wCuPWdCg==
-----END CERTIFICATE-----

78
thirdparty/mbedtls/include/mbedtls/config.h vendored
View file

@ -1713,6 +1713,46 @@
*/ */
//#define MBEDTLS_SSL_ASYNC_PRIVATE //#define MBEDTLS_SSL_ASYNC_PRIVATE
/** \def MBEDTLS_SSL_CLI_ALLOW_WEAK_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME
*
* In TLS clients, when a client authenticates a server through its
* certificate, the client normally checks three things:
* - the certificate chain must be valid;
* - the chain must start from a trusted CA;
* - the certificate must cover the server name that is expected by the client.
*
* Omitting any of these checks is generally insecure, and can allow a
* malicious server to impersonate a legitimate server.
*
* The third check may be safely skipped in some unusual scenarios,
* such as networks where eavesdropping is a risk but not active attacks,
* or a private PKI where the client equally trusts all servers that are
* accredited by the root CA.
*
* You should call mbedtls_ssl_set_hostname() with the expected server name
* before starting a TLS handshake on a client (unless the client is
* set up to only use PSK-based authentication, which does not rely on the
* host name). This configuration option controls what happens if a TLS client
* is configured with the authentication mode #MBEDTLS_SSL_VERIFY_REQUIRED
* (default), certificate authentication is enabled and the client does not
* call mbedtls_ssl_set_hostname():
*
* - If this option is unset (default), the connection attempt is aborted
* with the error #MBEDTLS_ERR_SSL_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME.
* - If this option is set, the TLS library does not check the server name
* that the certificate is valid for. This is the historical behavior
* of Mbed TLS, but may be insecure as explained above.
*
* Enable this option for strict backward compatibility if you have
* determined that it is secure in the scenario where you are using
* Mbed TLS.
*
* \deprecated This option exists only for backward compatibility and will
* be removed in the next major version of Mbed TLS.
*
*/
//#define MBEDTLS_SSL_CLI_ALLOW_WEAK_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME
/** /**
* \def MBEDTLS_SSL_CONTEXT_SERIALIZATION * \def MBEDTLS_SSL_CONTEXT_SERIALIZATION
* *
@ -2290,6 +2330,10 @@
* That is, the APIs enabled by this option are not covered by the usual * That is, the APIs enabled by this option are not covered by the usual
* promises of API stability. * promises of API stability.
* *
* \warning In multithreaded applications, you must also enable
* #MBEDTLS_THREADING_C, unless only one thread ever calls PSA functions
* (`psa_xxx()`), including indirect calls through SSL/TLS, X.509 or PK.
*
* Requires: MBEDTLS_PSA_CRYPTO_C. * Requires: MBEDTLS_PSA_CRYPTO_C.
* *
* Uncomment this to enable internal use of PSA Crypto and new associated APIs. * Uncomment this to enable internal use of PSA Crypto and new associated APIs.
@ -3389,6 +3433,14 @@
* *
* Enable the Platform Security Architecture cryptography API. * Enable the Platform Security Architecture cryptography API.
* *
* \note In multithreaded applications, you must enable #MBEDTLS_THREADING_C,
* unless only one thread ever calls `psa_xxx()` functions.
* That includes indirect calls, such as:
* - indirect calls from PK, X.509 or SSL functions when
* #MBEDTLS_USE_PSA_CRYPTO is enabled;
* - any other call to a function that requires calling psa_crypto_init()
* beforehand.
*
* Module: library/psa_crypto.c * Module: library/psa_crypto.c
* *
* Requires: either MBEDTLS_CTR_DRBG_C and MBEDTLS_ENTROPY_C, * Requires: either MBEDTLS_CTR_DRBG_C and MBEDTLS_ENTROPY_C,
@ -3605,11 +3657,29 @@
/** /**
* \def MBEDTLS_THREADING_C * \def MBEDTLS_THREADING_C
* *
* Enable the threading abstraction layer. * Traditionally, Mbed TLS assumes it is used in a non-threaded environment or
* By default Mbed TLS assumes it is used in a non-threaded environment or that * that contexts are not shared between threads. If you do intend to use contexts
* contexts are not shared between threads. If you do intend to use contexts
* between threads, you will need to enable this layer to prevent race * between threads, you will need to enable this layer to prevent race
* conditions. See also our Knowledge Base article about threading: * conditions.
*
* The PSA subsystem has an implicit shared context. Therefore, you must
* enable this option if more than one thread may use any part of
* Mbed TLS that is implemented on top of the PSA subsystem.
*
* You must enable this option in multithreaded applications where more than
* one thread performs any of the following operations:
*
* - Any call to a PSA function (`psa_xxx()`).
* - Any call to a TLS, X.509 or PK function (`mbedtls_ssl_xxx()`,
* `mbedtls_x509_xxx()`, `mbedtls_pkcs7_xxx()`, `mbedtls_pk_xxx()`)
* if `MBEDTLS_USE_PSA_CRYPTO` is enabled (regardless of whether individual
* TLS, X.509 or PK contexts are shared between threads).
* - Any use of a cryptographic context if the same context is used in
* multiple threads.
* - Any call to a function where the documentation specifies that
* psa_crypto_init() must be called prior to that function.
*
* See also our Knowledge Base article about threading:
* https://mbed-tls.readthedocs.io/en/latest/kb/development/thread-safety-and-multi-threading * https://mbed-tls.readthedocs.io/en/latest/kb/development/thread-safety-and-multi-threading
* *
* Module: library/threading.c * Module: library/threading.c

6
thirdparty/mbedtls/include/mbedtls/debug.h vendored
View file

@ -108,16 +108,16 @@
* *
* This module provides debugging functions. * This module provides debugging functions.
*/ */
#if (defined(__MINGW32__) && __USE_MINGW_ANSI_STDIO == 0) || (defined(_MSC_VER) && _MSC_VER < 1800) #if defined(__MINGW32__) || (defined(_MSC_VER) && _MSC_VER < 1900)
#include <inttypes.h> #include <inttypes.h>
#define MBEDTLS_PRINTF_SIZET PRIuPTR #define MBEDTLS_PRINTF_SIZET PRIuPTR
#define MBEDTLS_PRINTF_LONGLONG "I64d" #define MBEDTLS_PRINTF_LONGLONG "I64d"
#else \ #else \
/* (defined(__MINGW32__) && __USE_MINGW_ANSI_STDIO == 0) || (defined(_MSC_VER) && _MSC_VER < 1800) */ /* defined(__MINGW32__) || (defined(_MSC_VER) && _MSC_VER < 1900) */
#define MBEDTLS_PRINTF_SIZET "zu" #define MBEDTLS_PRINTF_SIZET "zu"
#define MBEDTLS_PRINTF_LONGLONG "lld" #define MBEDTLS_PRINTF_LONGLONG "lld"
#endif \ #endif \
/* (defined(__MINGW32__) && __USE_MINGW_ANSI_STDIO == 0) || (defined(_MSC_VER) && _MSC_VER < 1800) */ /* defined(__MINGW32__) || (defined(_MSC_VER) && _MSC_VER < 1900) */
#ifdef __cplusplus #ifdef __cplusplus
extern "C" { extern "C" {

2
thirdparty/mbedtls/include/mbedtls/error.h vendored
View file

@ -92,7 +92,7 @@
* ECP 4 10 (Started from top) * ECP 4 10 (Started from top)
* MD 5 5 * MD 5 5
* HKDF 5 1 (Started from top) * HKDF 5 1 (Started from top)
* SSL 5 2 (Started from 0x5F00) * SSL 5 3 (Started from 0x5F00)
* CIPHER 6 8 (Started from 0x6080) * CIPHER 6 8 (Started from 0x6080)
* SSL 6 24 (Started from top, plus 0x6000) * SSL 6 24 (Started from top, plus 0x6000)
* SSL 7 32 * SSL 7 32

23
thirdparty/mbedtls/include/mbedtls/gcm.h vendored
View file

@ -107,10 +107,9 @@ int mbedtls_gcm_setkey(mbedtls_gcm_context *ctx,
/** /**
* \brief This function performs GCM encryption or decryption of a buffer. * \brief This function performs GCM encryption or decryption of a buffer.
* *
* \note For encryption, the output buffer can be the same as the * \note The output buffer \p output can be the same as the input
* input buffer. For decryption, the output buffer cannot be * buffer \p input. If \p output is greater than \p input, they
* the same as input buffer. If the buffers overlap, the output * cannot overlap.
* buffer must trail at least 8 Bytes behind the input buffer.
* *
* \warning When this function performs a decryption, it outputs the * \warning When this function performs a decryption, it outputs the
* authentication tag and does not verify that the data is * authentication tag and does not verify that the data is
@ -171,9 +170,11 @@ int mbedtls_gcm_crypt_and_tag(mbedtls_gcm_context *ctx,
* \brief This function performs a GCM authenticated decryption of a * \brief This function performs a GCM authenticated decryption of a
* buffer. * buffer.
* *
* \note For decryption, the output buffer cannot be the same as * \note The output buffer \p output can be the same as the input
* input buffer. If the buffers overlap, the output buffer * buffer \p input. If \p output is greater than \p input, they
* must trail at least 8 Bytes behind the input buffer. * cannot overlap. Implementations which require
* MBEDTLS_GCM_ALT to be enabled may not provide support for
* overlapping buffers.
* *
* \param ctx The GCM context. This must be initialized. * \param ctx The GCM context. This must be initialized.
* \param length The length of the ciphertext to decrypt, which is also * \param length The length of the ciphertext to decrypt, which is also
@ -243,9 +244,11 @@ int mbedtls_gcm_starts(mbedtls_gcm_context *ctx,
* Bytes. Only the last call before calling * Bytes. Only the last call before calling
* mbedtls_gcm_finish() can be less than 16 Bytes. * mbedtls_gcm_finish() can be less than 16 Bytes.
* *
* \note For decryption, the output buffer cannot be the same as * \note The output buffer \p output can be the same as the input
* input buffer. If the buffers overlap, the output buffer * buffer \p input. If \p output is greater than \p input, they
* must trail at least 8 Bytes behind the input buffer. * cannot overlap. Implementations which require
* MBEDTLS_GCM_ALT to be enabled may not provide support for
* overlapping buffers.
* *
* \param ctx The GCM context. This must be initialized. * \param ctx The GCM context. This must be initialized.
* \param length The length of the input data. This must be a multiple of * \param length The length of the input data. This must be a multiple of

2
thirdparty/mbedtls/include/mbedtls/net_sockets.h vendored
View file

@ -226,7 +226,7 @@ int mbedtls_net_recv(void *ctx, unsigned char *buf, size_t len);
/** /**
* \brief Write at most 'len' characters. If no error occurs, * \brief Write at most 'len' characters. If no error occurs,
* the actual amount read is returned. * the actual amount written is returned.
* *
* \param ctx Socket * \param ctx Socket
* \param buf The buffer to read from * \param buf The buffer to read from

102
thirdparty/mbedtls/include/mbedtls/ssl.h vendored
View file

@ -183,6 +183,41 @@
#define MBEDTLS_ERR_SSL_BAD_CONFIG -0x5E80 #define MBEDTLS_ERR_SSL_BAD_CONFIG -0x5E80
/** Cache entry not found */ /** Cache entry not found */
#define MBEDTLS_ERR_SSL_CACHE_ENTRY_NOT_FOUND -0x5E00 #define MBEDTLS_ERR_SSL_CACHE_ENTRY_NOT_FOUND -0x5E00
/** Attempt to verify a certificate without an expected hostname.
* This is usually insecure.
*
* In TLS clients, when a client authenticates a server through its
* certificate, the client normally checks three things:
* - the certificate chain must be valid;
* - the chain must start from a trusted CA;
* - the certificate must cover the server name that is expected by the client.
*
* Omitting any of these checks is generally insecure, and can allow a
* malicious server to impersonate a legitimate server.
*
* The third check may be safely skipped in some unusual scenarios,
* such as networks where eavesdropping is a risk but not active attacks,
* or a private PKI where the client equally trusts all servers that are
* accredited by the root CA.
*
* You should call mbedtls_ssl_set_hostname() with the expected server name
* before starting a TLS handshake on a client (unless the client is
* set up to only use PSK-based authentication, which does not rely on the
* host name). If you have determined that server name verification is not
* required for security in your scenario, call mbedtls_ssl_set_hostname()
* with \p NULL as the server name.
*
* This error is raised if all of the following conditions are met:
*
* - A TLS client is configured with the authentication mode
* #MBEDTLS_SSL_VERIFY_REQUIRED (default).
* - Certificate authentication is enabled.
* - The client does not call mbedtls_ssl_set_hostname().
* - The configuration option
* #MBEDTLS_SSL_CLI_ALLOW_WEAK_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME
* is not enabled.
*/
#define MBEDTLS_ERR_SSL_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME -0x5D80
/* /*
* Various constants * Various constants
@ -1403,8 +1438,36 @@ struct mbedtls_ssl_context {
* User settings * User settings
*/ */
#if defined(MBEDTLS_X509_CRT_PARSE_C) #if defined(MBEDTLS_X509_CRT_PARSE_C)
char *hostname; /*!< expected peer CN for verification /** Expected peer CN for verification.
(and SNI if available) */ *
* Also used on clients for SNI.
*
* The value of this field can be:
* - \p NULL in a newly initialized or reset context.
* - A heap-allocated copy of the last value passed to
* mbedtls_ssl_set_hostname(), if the last call had a non-null
* \p hostname argument.
* - A special value to indicate that mbedtls_ssl_set_hostname()
* was called with \p NULL (as opposed to never having been called).
*
* If you need to obtain the value passed to
* mbedtls_ssl_set_hostname() even if it may have been called with
* \p NULL, call mbedtls_ssl_get_hostname_pointer().
*
* If this field contains the value \p NULL and the configuration option
* #MBEDTLS_SSL_CLI_ALLOW_WEAK_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME
* is unset, on a TLS client, attempting to verify a server certificate
* results in the error
* #MBEDTLS_ERR_SSL_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME.
*
* If this field contains the special value described above, or if
* the value is \p NULL and the configuration option
* #MBEDTLS_SSL_CLI_ALLOW_WEAK_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME
* is set, then the peer name verification is skipped, which may be
* insecure, especially on a client. Furthermore, on a client, the
* server_name extension is not sent.
*/
char *hostname;
#endif /* MBEDTLS_X509_CRT_PARSE_C */ #endif /* MBEDTLS_X509_CRT_PARSE_C */
#if defined(MBEDTLS_SSL_ALPN) #if defined(MBEDTLS_SSL_ALPN)
@ -1535,6 +1598,14 @@ void mbedtls_ssl_init(mbedtls_ssl_context *ssl);
* Calling mbedtls_ssl_setup again is not supported, even * Calling mbedtls_ssl_setup again is not supported, even
* if no session is active. * if no session is active.
* *
* \warning After setting up a client context, if certificate-based
* authentication is enabled, you should call
* mbedtls_ssl_set_hostname() to specifiy the expected
* name of the server. Without this, in most scenarios,
* the TLS connection is insecure. See
* #MBEDTLS_ERR_SSL_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME
* for more information.
*
* \note If #MBEDTLS_USE_PSA_CRYPTO is enabled, the PSA crypto * \note If #MBEDTLS_USE_PSA_CRYPTO is enabled, the PSA crypto
* subsystem must have been initialized by calling * subsystem must have been initialized by calling
* psa_crypto_init() before calling this function. * psa_crypto_init() before calling this function.
@ -3107,16 +3178,29 @@ void mbedtls_ssl_conf_sig_hashes(mbedtls_ssl_config *conf,
#if defined(MBEDTLS_X509_CRT_PARSE_C) #if defined(MBEDTLS_X509_CRT_PARSE_C)
/** /**
* \brief Set or reset the hostname to check against the received * \brief Set or reset the hostname to check against the received
* server certificate. It sets the ServerName TLS extension, * peer certificate. On a client, this also sets the
* too, if that extension is enabled. (client-side only) * ServerName TLS extension, if that extension is enabled.
* On a TLS 1.3 client, this also sets the server name in
* the session resumption ticket, if that feature is enabled.
* *
* \param ssl SSL context * \param ssl SSL context
* \param hostname the server hostname, may be NULL to clear hostname * \param hostname The server hostname. This may be \c NULL to clear
* the hostname.
* \note Maximum hostname length MBEDTLS_SSL_MAX_HOST_NAME_LEN.
* *
* \return 0 if successful, MBEDTLS_ERR_SSL_ALLOC_FAILED on * \note Maximum hostname length #MBEDTLS_SSL_MAX_HOST_NAME_LEN.
* allocation failure, MBEDTLS_ERR_SSL_BAD_INPUT_DATA on *
* \note If the hostname is \c NULL on a client, then the server
* is not authenticated: it only needs to have a valid
* certificate, not a certificate matching its name.
* Therefore you should always call this function on a client,
* unless the connection is set up to only allow
* pre-shared keys, or in scenarios where server
* impersonation is not a concern. See the documentation of
* #MBEDTLS_ERR_SSL_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME
* for more details.
*
* \return 0 if successful, #MBEDTLS_ERR_SSL_ALLOC_FAILED on
* allocation failure, #MBEDTLS_ERR_SSL_BAD_INPUT_DATA on
* too long input hostname. * too long input hostname.
* *
* Hostname set to the one provided on success (cleared * Hostname set to the one provided on success (cleared

13
thirdparty/mbedtls/include/mbedtls/ssl_internal.h vendored
View file

@ -467,7 +467,8 @@ struct mbedtls_ssl_handshake_params {
void (*update_checksum)(mbedtls_ssl_context *, const unsigned char *, size_t); void (*update_checksum)(mbedtls_ssl_context *, const unsigned char *, size_t);
void (*calc_verify)(const mbedtls_ssl_context *, unsigned char *, size_t *); void (*calc_verify)(const mbedtls_ssl_context *, unsigned char *, size_t *);
void (*calc_finished)(mbedtls_ssl_context *, unsigned char *, int); MBEDTLS_CHECK_RETURN_CRITICAL
int (*calc_finished)(mbedtls_ssl_context *, unsigned char *, int);
mbedtls_ssl_tls_prf_cb *tls_prf; mbedtls_ssl_tls_prf_cb *tls_prf;
#if defined(MBEDTLS_DHM_C) #if defined(MBEDTLS_DHM_C)
@ -1214,6 +1215,16 @@ static inline size_t mbedtls_ssl_hs_hdr_len(const mbedtls_ssl_context *ssl)
return 4; return 4;
} }
/** Get the host name from the SSL context.
*
* \param[in] ssl SSL context
*
* \return The \p hostname pointer from the SSL context.
* \c NULL if mbedtls_ssl_set_hostname() has never been called on
* \p ssl or if it was last called with \p NULL.
*/
const char *mbedtls_ssl_get_hostname_pointer(const mbedtls_ssl_context *ssl);
#if defined(MBEDTLS_SSL_PROTO_DTLS) #if defined(MBEDTLS_SSL_PROTO_DTLS)
void mbedtls_ssl_send_flight_completed(mbedtls_ssl_context *ssl); void mbedtls_ssl_send_flight_completed(mbedtls_ssl_context *ssl);
void mbedtls_ssl_recv_flight_completed(mbedtls_ssl_context *ssl); void mbedtls_ssl_recv_flight_completed(mbedtls_ssl_context *ssl);

8
thirdparty/mbedtls/include/mbedtls/version.h vendored
View file

@ -26,16 +26,16 @@
*/ */
#define MBEDTLS_VERSION_MAJOR 2 #define MBEDTLS_VERSION_MAJOR 2
#define MBEDTLS_VERSION_MINOR 28 #define MBEDTLS_VERSION_MINOR 28
#define MBEDTLS_VERSION_PATCH 9 #define MBEDTLS_VERSION_PATCH 10
/** /**
* The single version number has the following structure: * The single version number has the following structure:
* MMNNPP00 * MMNNPP00
* Major version | Minor version | Patch version * Major version | Minor version | Patch version
*/ */
#define MBEDTLS_VERSION_NUMBER 0x021C0900 #define MBEDTLS_VERSION_NUMBER 0x021C0A00
#define MBEDTLS_VERSION_STRING "2.28.9" #define MBEDTLS_VERSION_STRING "2.28.10"
#define MBEDTLS_VERSION_STRING_FULL "Mbed TLS 2.28.9" #define MBEDTLS_VERSION_STRING_FULL "Mbed TLS 2.28.10"
#if defined(MBEDTLS_VERSION_C) #if defined(MBEDTLS_VERSION_C)

8
thirdparty/mbedtls/library/aesni.c vendored
View file

@ -460,7 +460,7 @@ int mbedtls_aesni_crypt_ecb(mbedtls_aes_context *ctx,
"movdqu %%xmm0, (%4) \n\t" // export output "movdqu %%xmm0, (%4) \n\t" // export output
: :
: "r" (ctx->nr), "r" (ctx->rk), "r" (mode), "r" (input), "r" (output) : "r" (ctx->nr), "r" (ctx->rk), "r" (mode), "r" (input), "r" (output)
: "memory", "cc", "xmm0", "xmm1"); : "memory", "cc", "xmm0", "xmm1", "0", "1");
return 0; return 0;
@ -648,7 +648,7 @@ static void aesni_setkey_enc_128(unsigned char *rk,
AESKEYGENA(xmm0_xmm1, "0x36") "call 1b \n\t" AESKEYGENA(xmm0_xmm1, "0x36") "call 1b \n\t"
: :
: "r" (rk), "r" (key) : "r" (rk), "r" (key)
: "memory", "cc", "0"); : "memory", "cc", "xmm0", "xmm1", "0");
} }
/* /*
@ -705,7 +705,7 @@ static void aesni_setkey_enc_192(unsigned char *rk,
: :
: "r" (rk), "r" (key) : "r" (rk), "r" (key)
: "memory", "cc", "0"); : "memory", "cc", "xmm0", "xmm1", "xmm2", "0");
} }
/* /*
@ -771,7 +771,7 @@ static void aesni_setkey_enc_256(unsigned char *rk,
AESKEYGENA(xmm1_xmm2, "0x40") "call 1b \n\t" AESKEYGENA(xmm1_xmm2, "0x40") "call 1b \n\t"
: :
: "r" (rk), "r" (key) : "r" (rk), "r" (key)
: "memory", "cc", "0"); : "memory", "cc", "xmm0", "xmm1", "xmm2", "0");
} }
#endif /* MBEDTLS_AESNI_HAVE_CODE */ #endif /* MBEDTLS_AESNI_HAVE_CODE */

2
thirdparty/mbedtls/library/ecp.c vendored
View file

@ -3125,7 +3125,7 @@ int mbedtls_ecp_check_privkey(const mbedtls_ecp_group *grp,
/* see RFC 7748 sec. 5 para. 5 */ /* see RFC 7748 sec. 5 para. 5 */
if (mbedtls_mpi_get_bit(d, 0) != 0 || if (mbedtls_mpi_get_bit(d, 0) != 0 ||
mbedtls_mpi_get_bit(d, 1) != 0 || mbedtls_mpi_get_bit(d, 1) != 0 ||
mbedtls_mpi_bitlen(d) - 1 != grp->nbits) { /* mbedtls_mpi_bitlen is one-based! */ mbedtls_mpi_bitlen(d) != grp->nbits + 1) { /* mbedtls_mpi_bitlen is one-based! */
return MBEDTLS_ERR_ECP_INVALID_KEY; return MBEDTLS_ERR_ECP_INVALID_KEY;
} }

2
thirdparty/mbedtls/library/error.c vendored
View file

@ -508,6 +508,8 @@ const char *mbedtls_high_level_strerr(int error_code)
return( "SSL - Invalid value in SSL config" ); return( "SSL - Invalid value in SSL config" );
case -(MBEDTLS_ERR_SSL_CACHE_ENTRY_NOT_FOUND): case -(MBEDTLS_ERR_SSL_CACHE_ENTRY_NOT_FOUND):
return( "SSL - Cache entry not found" ); return( "SSL - Cache entry not found" );
case -(MBEDTLS_ERR_SSL_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME):
return( "SSL - Attempt to verify a certificate without an expected hostname. This is usually insecure. In TLS clients, when a client authenticates a server through its certificate, the client normally checks three things: - the certificate chain must be valid; - the chain must start from a trusted CA; - the certificate must cover the server name that is expected by the client. Omitting any of these checks is generally insecure, and can allow a malicious server to impersonate a legitimate server. The third check may be safely skipped in some unusual scenarios, such as networks where eavesdropping is a risk but not active attacks, or a private PKI where the client equally trusts all servers that are accredited by the root CA. You should call mbedtls_ssl_set_hostname() with the expected server name before starting a TLS handshake on a client (unless the client is set up to only use PSK-based authentication, which does not rely on the host name). If you have determined that server name verification is not required for security in your scenario, call mbedtls_ssl_set_hostname() with \\p NULL as the server name. This error is raised if all of the following conditions are met: - A TLS client is configured with the authentication mode #MBEDTLS_SSL_VERIFY_REQUIRED (default). - Certificate authentication is enabled. - The client does not call mbedtls_ssl_set_hostname(). - The configuration option #MBEDTLS_SSL_CLI_ALLOW_WEAK_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME is not enabled" );
#endif /* MBEDTLS_SSL_TLS_C */ #endif /* MBEDTLS_SSL_TLS_C */
#if defined(MBEDTLS_X509_USE_C) || defined(MBEDTLS_X509_CREATE_C) #if defined(MBEDTLS_X509_USE_C) || defined(MBEDTLS_X509_CREATE_C)

12
thirdparty/mbedtls/library/net_sockets.c vendored
View file

@ -195,7 +195,7 @@ int mbedtls_net_connect(mbedtls_net_context *ctx, const char *host,
break; break;
} }
close(ctx->fd); mbedtls_net_close(ctx);
ret = MBEDTLS_ERR_NET_CONNECT_FAILED; ret = MBEDTLS_ERR_NET_CONNECT_FAILED;
} }
@ -242,13 +242,13 @@ int mbedtls_net_bind(mbedtls_net_context *ctx, const char *bind_ip, const char *
n = 1; n = 1;
if (setsockopt(ctx->fd, SOL_SOCKET, SO_REUSEADDR, if (setsockopt(ctx->fd, SOL_SOCKET, SO_REUSEADDR,
(const char *) &n, sizeof(n)) != 0) { (const char *) &n, sizeof(n)) != 0) {
close(ctx->fd); mbedtls_net_close(ctx);
ret = MBEDTLS_ERR_NET_SOCKET_FAILED; ret = MBEDTLS_ERR_NET_SOCKET_FAILED;
continue; continue;
} }
if (bind(ctx->fd, cur->ai_addr, MSVC_INT_CAST cur->ai_addrlen) != 0) { if (bind(ctx->fd, cur->ai_addr, MSVC_INT_CAST cur->ai_addrlen) != 0) {
close(ctx->fd); mbedtls_net_close(ctx);
ret = MBEDTLS_ERR_NET_BIND_FAILED; ret = MBEDTLS_ERR_NET_BIND_FAILED;
continue; continue;
} }
@ -256,7 +256,7 @@ int mbedtls_net_bind(mbedtls_net_context *ctx, const char *bind_ip, const char *
/* Listen only makes sense for TCP */ /* Listen only makes sense for TCP */
if (proto == MBEDTLS_NET_PROTO_TCP) { if (proto == MBEDTLS_NET_PROTO_TCP) {
if (listen(ctx->fd, MBEDTLS_NET_LISTEN_BACKLOG) != 0) { if (listen(ctx->fd, MBEDTLS_NET_LISTEN_BACKLOG) != 0) {
close(ctx->fd); mbedtls_net_close(ctx);
ret = MBEDTLS_ERR_NET_LISTEN_FAILED; ret = MBEDTLS_ERR_NET_LISTEN_FAILED;
continue; continue;
} }
@ -529,8 +529,8 @@ void mbedtls_net_usleep(unsigned long usec)
#else #else
struct timeval tv; struct timeval tv;
tv.tv_sec = usec / 1000000; tv.tv_sec = usec / 1000000;
#if defined(__unix__) || defined(__unix) || \ #if (defined(__unix__) || defined(__unix) || \
(defined(__APPLE__) && defined(__MACH__)) (defined(__APPLE__) && defined(__MACH__))) && !defined(__DJGPP__)
tv.tv_usec = (suseconds_t) usec % 1000000; tv.tv_usec = (suseconds_t) usec % 1000000;
#else #else
tv.tv_usec = usec % 1000000; tv.tv_usec = usec % 1000000;

9
thirdparty/mbedtls/library/ssl_cli.c vendored
View file

@ -83,19 +83,20 @@ static int ssl_write_hostname_ext(mbedtls_ssl_context *ssl,
size_t *olen) size_t *olen)
{ {
unsigned char *p = buf; unsigned char *p = buf;
const char *hostname = mbedtls_ssl_get_hostname_pointer(ssl);
size_t hostname_len; size_t hostname_len;
*olen = 0; *olen = 0;
if (ssl->hostname == NULL) { if (hostname == NULL) {
return 0; return 0;
} }
MBEDTLS_SSL_DEBUG_MSG(3, MBEDTLS_SSL_DEBUG_MSG(3,
("client hello, adding server name extension: %s", ("client hello, adding server name extension: %s",
ssl->hostname)); hostname));
hostname_len = strlen(ssl->hostname); hostname_len = strlen(hostname);
MBEDTLS_SSL_CHK_BUF_PTR(p, end, hostname_len + 9); MBEDTLS_SSL_CHK_BUF_PTR(p, end, hostname_len + 9);
@ -139,7 +140,7 @@ static int ssl_write_hostname_ext(mbedtls_ssl_context *ssl,
MBEDTLS_PUT_UINT16_BE(hostname_len, p, 0); MBEDTLS_PUT_UINT16_BE(hostname_len, p, 0);
p += 2; p += 2;
memcpy(p, ssl->hostname, hostname_len); memcpy(p, hostname, hostname_len);
*olen = hostname_len + 9; *olen = hostname_len + 9;

242
thirdparty/mbedtls/library/ssl_tls.c vendored
View file

@ -38,6 +38,92 @@
#include "mbedtls/oid.h" #include "mbedtls/oid.h"
#endif #endif
#if defined(MBEDTLS_X509_CRT_PARSE_C)
/* A magic value for `ssl->hostname` indicating that
* mbedtls_ssl_set_hostname() has been called with `NULL`.
* If mbedtls_ssl_set_hostname() has never been called on `ssl`, then
* `ssl->hostname == NULL`. */
static const char *const ssl_hostname_skip_cn_verification = "";
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
/** Whether mbedtls_ssl_set_hostname() has been called.
*
* \param[in] ssl SSL context
*
* \return \c 1 if mbedtls_ssl_set_hostname() has been called on \p ssl
* (including `mbedtls_ssl_set_hostname(ssl, NULL)`),
* otherwise \c 0.
*/
static int mbedtls_ssl_has_set_hostname_been_called(
const mbedtls_ssl_context *ssl)
{
return ssl->hostname != NULL;
}
#endif
const char *mbedtls_ssl_get_hostname_pointer(const mbedtls_ssl_context *ssl)
{
if (ssl->hostname == ssl_hostname_skip_cn_verification) {
return NULL;
}
return ssl->hostname;
}
static void mbedtls_ssl_free_hostname(mbedtls_ssl_context *ssl)
{
if (ssl->hostname != NULL &&
ssl->hostname != ssl_hostname_skip_cn_verification) {
mbedtls_platform_zeroize(ssl->hostname, strlen(ssl->hostname));
mbedtls_free(ssl->hostname);
}
ssl->hostname = NULL;
}
int mbedtls_ssl_set_hostname(mbedtls_ssl_context *ssl, const char *hostname)
{
/* Initialize to suppress unnecessary compiler warning */
size_t hostname_len = 0;
/* Check if new hostname is valid before
* making any change to current one */
if (hostname != NULL) {
hostname_len = strlen(hostname);
if (hostname_len > MBEDTLS_SSL_MAX_HOST_NAME_LEN) {
return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
}
}
/* Now it's clear that we will overwrite the old hostname,
* so we can free it safely */
mbedtls_ssl_free_hostname(ssl);
if (hostname == NULL) {
/* Passing NULL as hostname clears the old one, but leaves a
* special marker to indicate that mbedtls_ssl_set_hostname()
* has been called. */
/* ssl->hostname should be const, but isn't. We won't actually
* write to the buffer, so it's ok to cast away the const. */
ssl->hostname = (char *) ssl_hostname_skip_cn_verification;
} else {
ssl->hostname = mbedtls_calloc(1, hostname_len + 1);
if (ssl->hostname == NULL) {
/* mbedtls_ssl_set_hostname() has been called, but unsuccessfully.
* Leave ssl->hostname in the same state as if the function had
* not been called, i.e. a null pointer. */
return MBEDTLS_ERR_SSL_ALLOC_FAILED;
}
memcpy(ssl->hostname, hostname, hostname_len);
ssl->hostname[hostname_len] = '\0';
}
return 0;
}
#endif /* MBEDTLS_X509_CRT_PARSE_C */
#if defined(MBEDTLS_SSL_PROTO_DTLS) #if defined(MBEDTLS_SSL_PROTO_DTLS)
#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
@ -538,6 +624,23 @@ exit:
} }
#endif /* MBEDTLS_SSL_PROTO_TLS1) || MBEDTLS_SSL_PROTO_TLS1_1 */ #endif /* MBEDTLS_SSL_PROTO_TLS1) || MBEDTLS_SSL_PROTO_TLS1_1 */
#if defined(MBEDTLS_USE_PSA_CRYPTO)
static int mbedtls_ssl_md_error_from_psa(psa_status_t status)
{
switch (status) {
case PSA_ERROR_NOT_SUPPORTED:
return MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE;
case PSA_ERROR_BAD_STATE: /* Intentional fallthrough */
case PSA_ERROR_BUFFER_TOO_SMALL:
return MBEDTLS_ERR_MD_BAD_INPUT_DATA;
case PSA_ERROR_INSUFFICIENT_MEMORY:
return MBEDTLS_ERR_MD_ALLOC_FAILED;
default:
return MBEDTLS_ERR_MD_HW_ACCEL_FAILED;
}
}
#endif
#if defined(MBEDTLS_SSL_PROTO_TLS1_2) #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
#if defined(MBEDTLS_USE_PSA_CRYPTO) #if defined(MBEDTLS_USE_PSA_CRYPTO)
@ -806,25 +909,25 @@ static void ssl_update_checksum_md5sha1(mbedtls_ssl_context *, const unsigned ch
#if defined(MBEDTLS_SSL_PROTO_SSL3) #if defined(MBEDTLS_SSL_PROTO_SSL3)
static void ssl_calc_verify_ssl(const mbedtls_ssl_context *, unsigned char *, size_t *); static void ssl_calc_verify_ssl(const mbedtls_ssl_context *, unsigned char *, size_t *);
static void ssl_calc_finished_ssl(mbedtls_ssl_context *, unsigned char *, int); static int ssl_calc_finished_ssl(mbedtls_ssl_context *, unsigned char *, int);
#endif #endif
#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1)
static void ssl_calc_verify_tls(const mbedtls_ssl_context *, unsigned char *, size_t *); static void ssl_calc_verify_tls(const mbedtls_ssl_context *, unsigned char *, size_t *);
static void ssl_calc_finished_tls(mbedtls_ssl_context *, unsigned char *, int); static int ssl_calc_finished_tls(mbedtls_ssl_context *, unsigned char *, int);
#endif #endif
#if defined(MBEDTLS_SSL_PROTO_TLS1_2) #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
#if defined(MBEDTLS_SHA256_C) #if defined(MBEDTLS_SHA256_C)
static void ssl_update_checksum_sha256(mbedtls_ssl_context *, const unsigned char *, size_t); static void ssl_update_checksum_sha256(mbedtls_ssl_context *, const unsigned char *, size_t);
static void ssl_calc_verify_tls_sha256(const mbedtls_ssl_context *, unsigned char *, size_t *); static void ssl_calc_verify_tls_sha256(const mbedtls_ssl_context *, unsigned char *, size_t *);
static void ssl_calc_finished_tls_sha256(mbedtls_ssl_context *, unsigned char *, int); static int ssl_calc_finished_tls_sha256(mbedtls_ssl_context *, unsigned char *, int);
#endif #endif
#if defined(MBEDTLS_SHA512_C) && !defined(MBEDTLS_SHA512_NO_SHA384) #if defined(MBEDTLS_SHA512_C) && !defined(MBEDTLS_SHA512_NO_SHA384)
static void ssl_update_checksum_sha384(mbedtls_ssl_context *, const unsigned char *, size_t); static void ssl_update_checksum_sha384(mbedtls_ssl_context *, const unsigned char *, size_t);
static void ssl_calc_verify_tls_sha384(const mbedtls_ssl_context *, unsigned char *, size_t *); static void ssl_calc_verify_tls_sha384(const mbedtls_ssl_context *, unsigned char *, size_t *);
static void ssl_calc_finished_tls_sha384(mbedtls_ssl_context *, unsigned char *, int); static int ssl_calc_finished_tls_sha384(mbedtls_ssl_context *, unsigned char *, int);
#endif #endif
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
@ -2521,13 +2624,33 @@ static int ssl_parse_certificate_coordinate(mbedtls_ssl_context *ssl,
return SSL_CERTIFICATE_EXPECTED; return SSL_CERTIFICATE_EXPECTED;
} }
static int get_hostname_for_verification(mbedtls_ssl_context *ssl,
const char **hostname)
{
if (!mbedtls_ssl_has_set_hostname_been_called(ssl)) {
MBEDTLS_SSL_DEBUG_MSG(1, ("Certificate verification without having set hostname"));
#if !defined(MBEDTLS_SSL_CLI_ALLOW_WEAK_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME)
if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT &&
ssl->conf->authmode == MBEDTLS_SSL_VERIFY_REQUIRED) {
return MBEDTLS_ERR_SSL_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME;
}
#endif
}
*hostname = mbedtls_ssl_get_hostname_pointer(ssl);
if (*hostname == NULL) {
MBEDTLS_SSL_DEBUG_MSG(2, ("Certificate verification without CN verification"));
}
return 0;
}
MBEDTLS_CHECK_RETURN_CRITICAL MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_parse_certificate_verify(mbedtls_ssl_context *ssl, static int ssl_parse_certificate_verify(mbedtls_ssl_context *ssl,
int authmode, int authmode,
mbedtls_x509_crt *chain, mbedtls_x509_crt *chain,
void *rs_ctx) void *rs_ctx)
{ {
int ret = 0;
const mbedtls_ssl_ciphersuite_t *ciphersuite_info = const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
ssl->handshake->ciphersuite_info; ssl->handshake->ciphersuite_info;
int have_ca_chain = 0; int have_ca_chain = 0;
@ -2549,6 +2672,13 @@ static int ssl_parse_certificate_verify(mbedtls_ssl_context *ssl,
p_vrfy = ssl->conf->p_vrfy; p_vrfy = ssl->conf->p_vrfy;
} }
const char *hostname = "";
int ret = get_hostname_for_verification(ssl, &hostname);
if (ret != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "get_hostname_for_verification", ret);
return ret;
}
/* /*
* Main check: verify certificate * Main check: verify certificate
*/ */
@ -2563,7 +2693,7 @@ static int ssl_parse_certificate_verify(mbedtls_ssl_context *ssl,
ssl->conf->f_ca_cb, ssl->conf->f_ca_cb,
ssl->conf->p_ca_cb, ssl->conf->p_ca_cb,
ssl->conf->cert_profile, ssl->conf->cert_profile,
ssl->hostname, hostname,
&ssl->session_negotiate->verify_result, &ssl->session_negotiate->verify_result,
f_vrfy, p_vrfy); f_vrfy, p_vrfy);
} else } else
@ -2591,7 +2721,7 @@ static int ssl_parse_certificate_verify(mbedtls_ssl_context *ssl,
chain, chain,
ca_chain, ca_crl, ca_chain, ca_crl,
ssl->conf->cert_profile, ssl->conf->cert_profile,
ssl->hostname, hostname,
&ssl->session_negotiate->verify_result, &ssl->session_negotiate->verify_result,
f_vrfy, p_vrfy, rs_ctx); f_vrfy, p_vrfy, rs_ctx);
} }
@ -3023,7 +3153,7 @@ static void ssl_update_checksum_sha384(mbedtls_ssl_context *ssl,
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
#if defined(MBEDTLS_SSL_PROTO_SSL3) #if defined(MBEDTLS_SSL_PROTO_SSL3)
static void ssl_calc_finished_ssl( static int ssl_calc_finished_ssl(
mbedtls_ssl_context *ssl, unsigned char *buf, int from) mbedtls_ssl_context *ssl, unsigned char *buf, int from)
{ {
const char *sender; const char *sender;
@ -3105,11 +3235,13 @@ static void ssl_calc_finished_ssl(
mbedtls_platform_zeroize(sha1sum, sizeof(sha1sum)); mbedtls_platform_zeroize(sha1sum, sizeof(sha1sum));
MBEDTLS_SSL_DEBUG_MSG(2, ("<= calc finished")); MBEDTLS_SSL_DEBUG_MSG(2, ("<= calc finished"));
return 0;
} }
#endif /* MBEDTLS_SSL_PROTO_SSL3 */ #endif /* MBEDTLS_SSL_PROTO_SSL3 */
#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1)
static void ssl_calc_finished_tls( static int ssl_calc_finished_tls(
mbedtls_ssl_context *ssl, unsigned char *buf, int from) mbedtls_ssl_context *ssl, unsigned char *buf, int from)
{ {
int len = 12; int len = 12;
@ -3165,12 +3297,14 @@ static void ssl_calc_finished_tls(
mbedtls_platform_zeroize(padbuf, sizeof(padbuf)); mbedtls_platform_zeroize(padbuf, sizeof(padbuf));
MBEDTLS_SSL_DEBUG_MSG(2, ("<= calc finished")); MBEDTLS_SSL_DEBUG_MSG(2, ("<= calc finished"));
return 0;
} }
#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 */ #endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 */
#if defined(MBEDTLS_SSL_PROTO_TLS1_2) #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
#if defined(MBEDTLS_SHA256_C) #if defined(MBEDTLS_SHA256_C)
static void ssl_calc_finished_tls_sha256( static int ssl_calc_finished_tls_sha256(
mbedtls_ssl_context *ssl, unsigned char *buf, int from) mbedtls_ssl_context *ssl, unsigned char *buf, int from)
{ {
int len = 12; int len = 12;
@ -3201,13 +3335,13 @@ static void ssl_calc_finished_tls_sha256(
status = psa_hash_clone(&ssl->handshake->fin_sha256_psa, &sha256_psa); status = psa_hash_clone(&ssl->handshake->fin_sha256_psa, &sha256_psa);
if (status != PSA_SUCCESS) { if (status != PSA_SUCCESS) {
MBEDTLS_SSL_DEBUG_MSG(2, ("PSA hash clone failed")); MBEDTLS_SSL_DEBUG_MSG(2, ("PSA hash clone failed"));
return; return mbedtls_ssl_md_error_from_psa(status);
} }
status = psa_hash_finish(&sha256_psa, padbuf, sizeof(padbuf), &hash_size); status = psa_hash_finish(&sha256_psa, padbuf, sizeof(padbuf), &hash_size);
if (status != PSA_SUCCESS) { if (status != PSA_SUCCESS) {
MBEDTLS_SSL_DEBUG_MSG(2, ("PSA hash finish failed")); MBEDTLS_SSL_DEBUG_MSG(2, ("PSA hash finish failed"));
return; return mbedtls_ssl_md_error_from_psa(status);
} }
MBEDTLS_SSL_DEBUG_BUF(3, "PSA calculated padbuf", padbuf, 32); MBEDTLS_SSL_DEBUG_BUF(3, "PSA calculated padbuf", padbuf, 32);
#else #else
@ -3241,12 +3375,14 @@ static void ssl_calc_finished_tls_sha256(
mbedtls_platform_zeroize(padbuf, sizeof(padbuf)); mbedtls_platform_zeroize(padbuf, sizeof(padbuf));
MBEDTLS_SSL_DEBUG_MSG(2, ("<= calc finished")); MBEDTLS_SSL_DEBUG_MSG(2, ("<= calc finished"));
return 0;
} }
#endif /* MBEDTLS_SHA256_C */ #endif /* MBEDTLS_SHA256_C */
#if defined(MBEDTLS_SHA512_C) && !defined(MBEDTLS_SHA512_NO_SHA384) #if defined(MBEDTLS_SHA512_C) && !defined(MBEDTLS_SHA512_NO_SHA384)
static void ssl_calc_finished_tls_sha384( static int ssl_calc_finished_tls_sha384(
mbedtls_ssl_context *ssl, unsigned char *buf, int from) mbedtls_ssl_context *ssl, unsigned char *buf, int from)
{ {
int len = 12; int len = 12;
@ -3277,13 +3413,13 @@ static void ssl_calc_finished_tls_sha384(
status = psa_hash_clone(&ssl->handshake->fin_sha384_psa, &sha384_psa); status = psa_hash_clone(&ssl->handshake->fin_sha384_psa, &sha384_psa);
if (status != PSA_SUCCESS) { if (status != PSA_SUCCESS) {
MBEDTLS_SSL_DEBUG_MSG(2, ("PSA hash clone failed")); MBEDTLS_SSL_DEBUG_MSG(2, ("PSA hash clone failed"));
return; return mbedtls_ssl_md_error_from_psa(status);
} }
status = psa_hash_finish(&sha384_psa, padbuf, sizeof(padbuf), &hash_size); status = psa_hash_finish(&sha384_psa, padbuf, sizeof(padbuf), &hash_size);
if (status != PSA_SUCCESS) { if (status != PSA_SUCCESS) {
MBEDTLS_SSL_DEBUG_MSG(2, ("PSA hash finish failed")); MBEDTLS_SSL_DEBUG_MSG(2, ("PSA hash finish failed"));
return; return mbedtls_ssl_md_error_from_psa(status);
} }
MBEDTLS_SSL_DEBUG_BUF(3, "PSA calculated padbuf", padbuf, 48); MBEDTLS_SSL_DEBUG_BUF(3, "PSA calculated padbuf", padbuf, 48);
#else #else
@ -3328,6 +3464,8 @@ static void ssl_calc_finished_tls_sha384(
mbedtls_platform_zeroize(padbuf, sizeof(padbuf)); mbedtls_platform_zeroize(padbuf, sizeof(padbuf));
MBEDTLS_SSL_DEBUG_MSG(2, ("<= calc finished")); MBEDTLS_SSL_DEBUG_MSG(2, ("<= calc finished"));
return 0;
} }
#endif /* MBEDTLS_SHA512_C && !MBEDTLS_SHA512_NO_SHA384 */ #endif /* MBEDTLS_SHA512_C && !MBEDTLS_SHA512_NO_SHA384 */
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
@ -3422,7 +3560,12 @@ int mbedtls_ssl_write_finished(mbedtls_ssl_context *ssl)
mbedtls_ssl_update_out_pointers(ssl, ssl->transform_negotiate); mbedtls_ssl_update_out_pointers(ssl, ssl->transform_negotiate);
ssl->handshake->calc_finished(ssl, ssl->out_msg + 4, ssl->conf->endpoint); ret = ssl->handshake->calc_finished(ssl, ssl->out_msg + 4,
ssl->conf->endpoint);
if (ret != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "calc_finished", ret);
return ret;
}
/* /*
* RFC 5246 7.4.9 (Page 63) says 12 is the default length and ciphersuites * RFC 5246 7.4.9 (Page 63) says 12 is the default length and ciphersuites
@ -3551,7 +3694,11 @@ int mbedtls_ssl_parse_finished(mbedtls_ssl_context *ssl)
#endif #endif
hash_len = 12; hash_len = 12;
ssl->handshake->calc_finished(ssl, buf, ssl->conf->endpoint ^ 1); ret = ssl->handshake->calc_finished(ssl, buf, ssl->conf->endpoint ^ 1);
if (ret != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "calc_finished", ret);
goto exit;
}
if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) { if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret); MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret);
@ -4617,49 +4764,6 @@ void mbedtls_ssl_conf_curves(mbedtls_ssl_config *conf,
} }
#endif /* MBEDTLS_ECP_C */ #endif /* MBEDTLS_ECP_C */
#if defined(MBEDTLS_X509_CRT_PARSE_C)
int mbedtls_ssl_set_hostname(mbedtls_ssl_context *ssl, const char *hostname)
{
/* Initialize to suppress unnecessary compiler warning */
size_t hostname_len = 0;
/* Check if new hostname is valid before
* making any change to current one */
if (hostname != NULL) {
hostname_len = strlen(hostname);
if (hostname_len > MBEDTLS_SSL_MAX_HOST_NAME_LEN) {
return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
}
}
/* Now it's clear that we will overwrite the old hostname,
* so we can free it safely */
if (ssl->hostname != NULL) {
mbedtls_platform_zeroize(ssl->hostname, strlen(ssl->hostname));
mbedtls_free(ssl->hostname);
}
/* Passing NULL as hostname shall clear the old one */
if (hostname == NULL) {
ssl->hostname = NULL;
} else {
ssl->hostname = mbedtls_calloc(1, hostname_len + 1);
if (ssl->hostname == NULL) {
return MBEDTLS_ERR_SSL_ALLOC_FAILED;
}
memcpy(ssl->hostname, hostname, hostname_len);
ssl->hostname[hostname_len] = '\0';
}
return 0;
}
#endif /* MBEDTLS_X509_CRT_PARSE_C */
#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
void mbedtls_ssl_conf_sni(mbedtls_ssl_config *conf, void mbedtls_ssl_conf_sni(mbedtls_ssl_config *conf,
int (*f_sni)(void *, mbedtls_ssl_context *, int (*f_sni)(void *, mbedtls_ssl_context *,
@ -6816,10 +6920,7 @@ void mbedtls_ssl_free(mbedtls_ssl_context *ssl)
} }
#if defined(MBEDTLS_X509_CRT_PARSE_C) #if defined(MBEDTLS_X509_CRT_PARSE_C)
if (ssl->hostname != NULL) { mbedtls_ssl_free_hostname(ssl);
mbedtls_platform_zeroize(ssl->hostname, strlen(ssl->hostname));
mbedtls_free(ssl->hostname);
}
#endif #endif
#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL) #if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
@ -7559,17 +7660,8 @@ exit:
if (status != PSA_SUCCESS) { if (status != PSA_SUCCESS) {
mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR); MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR);
switch (status) {
case PSA_ERROR_NOT_SUPPORTED: return mbedtls_ssl_md_error_from_psa(status);
return MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE;
case PSA_ERROR_BAD_STATE: /* Intentional fallthrough */
case PSA_ERROR_BUFFER_TOO_SMALL:
return MBEDTLS_ERR_MD_BAD_INPUT_DATA;
case PSA_ERROR_INSUFFICIENT_MEMORY:
return MBEDTLS_ERR_MD_ALLOC_FAILED;
default:
return MBEDTLS_ERR_MD_HW_ACCEL_FAILED;
}
} }
return 0; return 0;
} }

3
thirdparty/mbedtls/library/version_features.c vendored
View file

@ -486,6 +486,9 @@ static const char * const features[] = {
#if defined(MBEDTLS_SSL_ASYNC_PRIVATE) #if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
"MBEDTLS_SSL_ASYNC_PRIVATE", "MBEDTLS_SSL_ASYNC_PRIVATE",
#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */ #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
#if defined(MBEDTLS_SSL_CLI_ALLOW_WEAK_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME)
"MBEDTLS_SSL_CLI_ALLOW_WEAK_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME",
#endif /* MBEDTLS_SSL_CLI_ALLOW_WEAK_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME */
#if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION) #if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION)
"MBEDTLS_SSL_CONTEXT_SERIALIZATION", "MBEDTLS_SSL_CONTEXT_SERIALIZATION",
#endif /* MBEDTLS_SSL_CONTEXT_SERIALIZATION */ #endif /* MBEDTLS_SSL_CONTEXT_SERIALIZATION */

4
thirdparty/minizip/patches/godot-seek.patch vendored
View file

@ -145,7 +145,7 @@ index ea05b7d62a..981ba3c0cb 100644
s->pfile_in_zip_read = pfile_in_zip_read_info; s->pfile_in_zip_read = pfile_in_zip_read_info;
s->encrypted = 0; s->encrypted = 0;
@@ -1510,6 +1544,85 @@ extern int ZEXPORT unzOpenCurrentFile3(unzFile file, int* method, @@ -1510,6 +1544,87 @@ extern int ZEXPORT unzOpenCurrentFile3(unzFile file, int* method,
return UNZ_OK; return UNZ_OK;
} }
@ -178,6 +178,7 @@ index ea05b7d62a..981ba3c0cb 100644
+ pfile_in_zip_read_info->extra_size + pos; + pfile_in_zip_read_info->extra_size + pos;
+ +
+ pfile_in_zip_read_info->stream.avail_in = (uInt)0; + pfile_in_zip_read_info->stream.avail_in = (uInt)0;
+ pfile_in_zip_read_info->total_out_64 = pos;
+ pfile_in_zip_read_info->stream.total_out = pos; + pfile_in_zip_read_info->stream.total_out = pos;
+ +
+ return ZSEEK64(pfile_in_zip_read_info->z_filefunc, + return ZSEEK64(pfile_in_zip_read_info->z_filefunc,
@ -202,6 +203,7 @@ index ea05b7d62a..981ba3c0cb 100644
+ +
+ pfile_in_zip_read_info->stream.avail_in = (uInt)0; + pfile_in_zip_read_info->stream.avail_in = (uInt)0;
+ pfile_in_zip_read_info->stream.total_out = 0; + pfile_in_zip_read_info->stream.total_out = 0;
+ pfile_in_zip_read_info->total_out_64 = 0;
+ pfile_in_zip_read_info->stream.next_in = 0; + pfile_in_zip_read_info->stream.next_in = 0;
+ } + }
+ +

2
thirdparty/minizip/unzip.c vendored
View file

@ -1573,6 +1573,7 @@ extern int ZEXPORT unzSeekCurrentFile(unzFile file, int pos) {
pfile_in_zip_read_info->extra_size + pos; pfile_in_zip_read_info->extra_size + pos;
pfile_in_zip_read_info->stream.avail_in = (uInt)0; pfile_in_zip_read_info->stream.avail_in = (uInt)0;
pfile_in_zip_read_info->total_out_64 = pos;
pfile_in_zip_read_info->stream.total_out = pos; pfile_in_zip_read_info->stream.total_out = pos;
return ZSEEK64(pfile_in_zip_read_info->z_filefunc, return ZSEEK64(pfile_in_zip_read_info->z_filefunc,
@ -1597,6 +1598,7 @@ extern int ZEXPORT unzSeekCurrentFile(unzFile file, int pos) {
pfile_in_zip_read_info->stream.avail_in = (uInt)0; pfile_in_zip_read_info->stream.avail_in = (uInt)0;
pfile_in_zip_read_info->stream.total_out = 0; pfile_in_zip_read_info->stream.total_out = 0;
pfile_in_zip_read_info->total_out_64 = 0;
pfile_in_zip_read_info->stream.next_in = 0; pfile_in_zip_read_info->stream.next_in = 0;
} }