Merge pull request #36296 from Faless/dtls/enet_vulkan

DTLS support + optional ENet encryption

8 files changed, 615 insertions, 12 deletions

diff --git a/modules/mbedtls/dtls_server_mbedtls.cpp b/modules/mbedtls/dtls_server_mbedtls.cpp
new file mode 100644
index 0000000000..c4ac69e9ab
--- /dev/null
+++ b/modules/mbedtls/dtls_server_mbedtls.cpp
@@ -0,0 +1,78 @@
+/*************************************************************************/
+/*  dtls_server_mbedtls.cpp                                              */
+/*************************************************************************/
+/*                       This file is part of:                           */
+/*                           GODOT ENGINE                                */
+/*                      https://godotengine.org                          */
+/*************************************************************************/
+/* Copyright (c) 2007-2019 Juan Linietsky, Ariel Manzur.                 */
+/* Copyright (c) 2014-2019 Godot Engine contributors (cf. AUTHORS.md)    */
+/*                                                                       */
+/* Permission is hereby granted, free of charge, to any person obtaining */
+/* a copy of this software and associated documentation files (the       */
+/* "Software"), to deal in the Software without restriction, including   */
+/* without limitation the rights to use, copy, modify, merge, publish,   */
+/* distribute, sublicense, and/or sell copies of the Software, and to    */
+/* permit persons to whom the Software is furnished to do so, subject to */
+/* the following conditions:                                             */
+/*                                                                       */
+/* The above copyright notice and this permission notice shall be        */
+/* included in all copies or substantial portions of the Software.       */
+/*                                                                       */
+/* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,       */
+/* EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF    */
+/* MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.*/
+/* IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY  */
+/* CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,  */
+/* TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE     */
+/* SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.                */
+/*************************************************************************/
+
+#include "dtls_server_mbedtls.h"
+#include "packet_peer_mbed_dtls.h"
+
+Error DTLSServerMbedTLS::setup(Ref<CryptoKey> p_key, Ref<X509Certificate> p_cert, Ref<X509Certificate> p_ca_chain) {
+	ERR_FAIL_COND_V(_cookies->setup() != OK, ERR_ALREADY_IN_USE);
+	_key = p_key;
+	_cert = p_cert;
+	_ca_chain = p_ca_chain;
+	return OK;
+}
+
+void DTLSServerMbedTLS::stop() {
+	_cookies->clear();
+}
+
+Ref<PacketPeerDTLS> DTLSServerMbedTLS::take_connection(Ref<PacketPeerUDP> p_udp_peer) {
+	Ref<PacketPeerMbedDTLS> out;
+	out.instance();
+
+	ERR_FAIL_COND_V(!out.is_valid(), out);
+	ERR_FAIL_COND_V(!p_udp_peer.is_valid(), out);
+	out->accept_peer(p_udp_peer, _key, _cert, _ca_chain, _cookies);
+	return out;
+}
+
+DTLSServer *DTLSServerMbedTLS::_create_func() {
+
+	return memnew(DTLSServerMbedTLS);
+}
+
+void DTLSServerMbedTLS::initialize() {
+
+	_create = _create_func;
+	available = true;
+}
+
+void DTLSServerMbedTLS::finalize() {
+	_create = NULL;
+	available = false;
+}
+
+DTLSServerMbedTLS::DTLSServerMbedTLS() {
+	_cookies.instance();
+}
+
+DTLSServerMbedTLS::~DTLSServerMbedTLS() {
+	stop();
+}
diff --git a/modules/mbedtls/dtls_server_mbedtls.h b/modules/mbedtls/dtls_server_mbedtls.h
new file mode 100644
index 0000000000..180ab7d84c
--- /dev/null
+++ b/modules/mbedtls/dtls_server_mbedtls.h
@@ -0,0 +1,58 @@
+/*************************************************************************/
+/*  dtls_server_mbedtls.h                                                */
+/*************************************************************************/
+/*                       This file is part of:                           */
+/*                           GODOT ENGINE                                */
+/*                      https://godotengine.org                          */
+/*************************************************************************/
+/* Copyright (c) 2007-2019 Juan Linietsky, Ariel Manzur.                 */
+/* Copyright (c) 2014-2019 Godot Engine contributors (cf. AUTHORS.md)    */
+/*                                                                       */
+/* Permission is hereby granted, free of charge, to any person obtaining */
+/* a copy of this software and associated documentation files (the       */
+/* "Software"), to deal in the Software without restriction, including   */
+/* without limitation the rights to use, copy, modify, merge, publish,   */
+/* distribute, sublicense, and/or sell copies of the Software, and to    */
+/* permit persons to whom the Software is furnished to do so, subject to */
+/* the following conditions:                                             */
+/*                                                                       */
+/* The above copyright notice and this permission notice shall be        */
+/* included in all copies or substantial portions of the Software.       */
+/*                                                                       */
+/* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,       */
+/* EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF    */
+/* MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.*/
+/* IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY  */
+/* CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,  */
+/* TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE     */
+/* SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.                */
+/*************************************************************************/
+
+#ifndef MBED_DTLS_SERVER_H
+#define MBED_DTLS_SERVER_H
+
+#include "core/io/dtls_server.h"
+#include "ssl_context_mbedtls.h"
+
+class DTLSServerMbedTLS : public DTLSServer {
+
+private:
+	static DTLSServer *_create_func();
+	Ref<CryptoKey> _key;
+	Ref<X509Certificate> _cert;
+	Ref<X509Certificate> _ca_chain;
+	Ref<CookieContextMbedTLS> _cookies;
+
+public:
+	static void initialize();
+	static void finalize();
+
+	virtual Error setup(Ref<CryptoKey> p_key, Ref<X509Certificate> p_cert, Ref<X509Certificate> p_ca_chain = Ref<X509Certificate>());
+	virtual void stop();
+	virtual Ref<PacketPeerDTLS> take_connection(Ref<PacketPeerUDP> p_peer);
+
+	DTLSServerMbedTLS();
+	~DTLSServerMbedTLS();
+};
+
+#endif // MBED_DTLS_SERVER_H
diff --git a/modules/mbedtls/packet_peer_mbed_dtls.cpp b/modules/mbedtls/packet_peer_mbed_dtls.cpp
new file mode 100755
index 0000000000..134bd54801
--- /dev/null
+++ b/modules/mbedtls/packet_peer_mbed_dtls.cpp
@@ -0,0 +1,297 @@
+/*************************************************************************/
+/*  packet_peer_mbed_dtls.cpp                                            */
+/*************************************************************************/
+/*                       This file is part of:                           */
+/*                           GODOT ENGINE                                */
+/*                      https://godotengine.org                          */
+/*************************************************************************/
+/* Copyright (c) 2007-2019 Juan Linietsky, Ariel Manzur.                 */
+/* Copyright (c) 2014-2019 Godot Engine contributors (cf. AUTHORS.md)    */
+/*                                                                       */
+/* Permission is hereby granted, free of charge, to any person obtaining */
+/* a copy of this software and associated documentation files (the       */
+/* "Software"), to deal in the Software without restriction, including   */
+/* without limitation the rights to use, copy, modify, merge, publish,   */
+/* distribute, sublicense, and/or sell copies of the Software, and to    */
+/* permit persons to whom the Software is furnished to do so, subject to */
+/* the following conditions:                                             */
+/*                                                                       */
+/* The above copyright notice and this permission notice shall be        */
+/* included in all copies or substantial portions of the Software.       */
+/*                                                                       */
+/* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,       */
+/* EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF    */
+/* MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.*/
+/* IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY  */
+/* CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,  */
+/* TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE     */
+/* SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.                */
+/*************************************************************************/
+
+#include "packet_peer_mbed_dtls.h"
+#include "mbedtls/platform_util.h"
+
+#include "core/io/stream_peer_ssl.h"
+#include "core/os/file_access.h"
+
+int PacketPeerMbedDTLS::bio_send(void *ctx, const unsigned char *buf, size_t len) {
+
+	if (buf == NULL || len <= 0) return 0;
+
+	PacketPeerMbedDTLS *sp = (PacketPeerMbedDTLS *)ctx;
+
+	ERR_FAIL_COND_V(sp == NULL, 0);
+
+	Error err = sp->base->put_packet((const uint8_t *)buf, len);
+	if (err == ERR_BUSY) {
+		return MBEDTLS_ERR_SSL_WANT_WRITE;
+	} else if (err != OK) {
+		ERR_FAIL_V(MBEDTLS_ERR_SSL_INTERNAL_ERROR);
+	}
+	return len;
+}
+
+int PacketPeerMbedDTLS::bio_recv(void *ctx, unsigned char *buf, size_t len) {
+
+	if (buf == NULL || len <= 0) return 0;
+
+	PacketPeerMbedDTLS *sp = (PacketPeerMbedDTLS *)ctx;
+
+	ERR_FAIL_COND_V(sp == NULL, 0);
+
+	int pc = sp->base->get_available_packet_count();
+	if (pc == 0) {
+		return MBEDTLS_ERR_SSL_WANT_READ;
+	} else if (pc < 0) {
+		ERR_FAIL_V(MBEDTLS_ERR_SSL_INTERNAL_ERROR);
+	}
+
+	const uint8_t *buffer;
+	int buffer_size = 0;
+	Error err = sp->base->get_packet(&buffer, buffer_size);
+	if (err != OK) {
+		return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+	}
+	copymem(buf, buffer, buffer_size);
+	return buffer_size;
+}
+
+void PacketPeerMbedDTLS::_cleanup() {
+
+	ssl_ctx->clear();
+	base = Ref<PacketPeer>();
+	status = STATUS_DISCONNECTED;
+}
+
+int PacketPeerMbedDTLS::_set_cookie() {
+	// Setup DTLS session cookie for this client
+	uint8_t client_id[18];
+	IP_Address addr = base->get_packet_address();
+	uint16_t port = base->get_packet_port();
+	copymem(client_id, addr.get_ipv6(), 16);
+	copymem(&client_id[16], (uint8_t *)&port, 2);
+	return mbedtls_ssl_set_client_transport_id(ssl_ctx->get_context(), client_id, 18);
+}
+
+Error PacketPeerMbedDTLS::_do_handshake() {
+	int ret = 0;
+	while ((ret = mbedtls_ssl_handshake(ssl_ctx->get_context())) != 0) {
+		if (ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE) {
+			if (ret != MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED) {
+				ERR_PRINT("TLS handshake error: " + itos(ret));
+				SSLContextMbedTLS::print_mbedtls_error(ret);
+			}
+			_cleanup();
+			status = STATUS_ERROR;
+			return FAILED;
+		}
+		// Will retry via poll later
+		return OK;
+	}
+
+	status = STATUS_CONNECTED;
+	return OK;
+}
+
+Error PacketPeerMbedDTLS::connect_to_peer(Ref<PacketPeerUDP> p_base, bool p_validate_certs, const String &p_for_hostname, Ref<X509Certificate> p_ca_certs) {
+
+	ERR_FAIL_COND_V(!p_base.is_valid() || !p_base->is_connected_to_host(), ERR_INVALID_PARAMETER);
+
+	base = p_base;
+	int ret = 0;
+	int authmode = p_validate_certs ? MBEDTLS_SSL_VERIFY_REQUIRED : MBEDTLS_SSL_VERIFY_NONE;
+
+	Error err = ssl_ctx->init_client(MBEDTLS_SSL_TRANSPORT_DATAGRAM, authmode, p_ca_certs);
+	ERR_FAIL_COND_V(err != OK, err);
+
+	mbedtls_ssl_set_hostname(ssl_ctx->get_context(), p_for_hostname.utf8().get_data());
+	mbedtls_ssl_set_bio(ssl_ctx->get_context(), this, bio_send, bio_recv, NULL);
+	mbedtls_ssl_set_timer_cb(ssl_ctx->get_context(), &timer, mbedtls_timing_set_delay, mbedtls_timing_get_delay);
+
+	status = STATUS_HANDSHAKING;
+
+	if ((ret = _do_handshake()) != OK) {
+		status = STATUS_ERROR_HOSTNAME_MISMATCH;
+		return FAILED;
+	}
+
+	return OK;
+}
+
+Error PacketPeerMbedDTLS::accept_peer(Ref<PacketPeerUDP> p_base, Ref<CryptoKey> p_key, Ref<X509Certificate> p_cert, Ref<X509Certificate> p_ca_chain, Ref<CookieContextMbedTLS> p_cookies) {
+
+	Error err = ssl_ctx->init_server(MBEDTLS_SSL_TRANSPORT_DATAGRAM, MBEDTLS_SSL_VERIFY_NONE, p_key, p_cert, p_cookies);
+	ERR_FAIL_COND_V(err != OK, err);
+
+	base = p_base;
+	base->set_blocking_mode(false);
+
+	mbedtls_ssl_session_reset(ssl_ctx->get_context());
+
+	int ret = _set_cookie();
+	if (ret != 0) {
+		_cleanup();
+		ERR_FAIL_V_MSG(FAILED, "Error setting DTLS client cookie");
+	}
+
+	mbedtls_ssl_set_bio(ssl_ctx->get_context(), this, bio_send, bio_recv, NULL);
+	mbedtls_ssl_set_timer_cb(ssl_ctx->get_context(), &timer, mbedtls_timing_set_delay, mbedtls_timing_get_delay);
+
+	status = STATUS_HANDSHAKING;
+
+	if ((ret = _do_handshake()) != OK) {
+		status = STATUS_ERROR;
+		return FAILED;
+	}
+
+	return OK;
+}
+
+Error PacketPeerMbedDTLS::put_packet(const uint8_t *p_buffer, int p_bytes) {
+
+	ERR_FAIL_COND_V(status != STATUS_CONNECTED, ERR_UNCONFIGURED);
+
+	if (p_bytes == 0)
+		return OK;
+
+	int ret = mbedtls_ssl_write(ssl_ctx->get_context(), p_buffer, p_bytes);
+	if (ret == MBEDTLS_ERR_SSL_WANT_READ || ret == MBEDTLS_ERR_SSL_WANT_WRITE) {
+		ret = 0; // non blocking io
+	} else if (ret <= 0) {
+		SSLContextMbedTLS::print_mbedtls_error(ret);
+		_cleanup();
+		return ERR_CONNECTION_ERROR;
+	}
+
+	return OK;
+}
+
+Error PacketPeerMbedDTLS::get_packet(const uint8_t **r_buffer, int &r_bytes) {
+
+	ERR_FAIL_COND_V(status != STATUS_CONNECTED, ERR_UNCONFIGURED);
+
+	r_bytes = 0;
+
+	int ret = mbedtls_ssl_read(ssl_ctx->get_context(), packet_buffer, PACKET_BUFFER_SIZE);
+	if (ret == MBEDTLS_ERR_SSL_WANT_READ || ret == MBEDTLS_ERR_SSL_WANT_WRITE) {
+		ret = 0; // non blocking io
+	} else if (ret <= 0) {
+		if (ret == MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY) {
+			// Also send close notify back
+			disconnect_from_peer();
+		} else {
+			_cleanup();
+			status = STATUS_ERROR;
+			SSLContextMbedTLS::print_mbedtls_error(ret);
+		}
+		return ERR_CONNECTION_ERROR;
+	}
+	*r_buffer = packet_buffer;
+	r_bytes = ret;
+
+	return OK;
+}
+
+void PacketPeerMbedDTLS::poll() {
+
+	if (status == STATUS_HANDSHAKING) {
+		_do_handshake();
+		return;
+	} else if (status != STATUS_CONNECTED) {
+		return;
+	}
+
+	ERR_FAIL_COND(!base.is_valid());
+
+	int ret = mbedtls_ssl_read(ssl_ctx->get_context(), NULL, 0);
+
+	if (ret < 0 && ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE) {
+		if (ret == MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY) {
+			// Also send close notify back
+			disconnect_from_peer();
+		} else {
+			_cleanup();
+			status = STATUS_ERROR;
+			SSLContextMbedTLS::print_mbedtls_error(ret);
+		}
+	}
+}
+
+int PacketPeerMbedDTLS::get_available_packet_count() const {
+
+	ERR_FAIL_COND_V(status != STATUS_CONNECTED, 0);
+
+	return mbedtls_ssl_get_bytes_avail(&(ssl_ctx->ssl)) > 0 ? 1 : 0;
+}
+
+int PacketPeerMbedDTLS::get_max_packet_size() const {
+
+	return 488; // 512 (UDP in Godot) - 24 (DTLS header)
+}
+
+PacketPeerMbedDTLS::PacketPeerMbedDTLS() {
+
+	ssl_ctx.instance();
+	status = STATUS_DISCONNECTED;
+}
+
+PacketPeerMbedDTLS::~PacketPeerMbedDTLS() {
+	disconnect_from_peer();
+}
+
+void PacketPeerMbedDTLS::disconnect_from_peer() {
+
+	if (status != STATUS_CONNECTED && status != STATUS_HANDSHAKING)
+		return;
+
+	if (status == STATUS_CONNECTED) {
+		int ret = 0;
+		// Send SSL close notification, blocking, but ignore other errors.
+		do
+			ret = mbedtls_ssl_close_notify(ssl_ctx->get_context());
+		while (ret == MBEDTLS_ERR_SSL_WANT_WRITE);
+	}
+
+	_cleanup();
+}
+
+PacketPeerMbedDTLS::Status PacketPeerMbedDTLS::get_status() const {
+
+	return status;
+}
+
+PacketPeerDTLS *PacketPeerMbedDTLS::_create_func() {
+
+	return memnew(PacketPeerMbedDTLS);
+}
+
+void PacketPeerMbedDTLS::initialize_dtls() {
+
+	_create = _create_func;
+	available = true;
+}
+
+void PacketPeerMbedDTLS::finalize_dtls() {
+	_create = NULL;
+	available = false;
+}
diff --git a/modules/mbedtls/packet_peer_mbed_dtls.h b/modules/mbedtls/packet_peer_mbed_dtls.h
new file mode 100755
index 0000000000..bd0856abe8
--- /dev/null
+++ b/modules/mbedtls/packet_peer_mbed_dtls.h
@@ -0,0 +1,88 @@
+/*************************************************************************/
+/*  packet_peer_mbed_dtls.h                                              */
+/*************************************************************************/
+/*                       This file is part of:                           */
+/*                           GODOT ENGINE                                */
+/*                      https://godotengine.org                          */
+/*************************************************************************/
+/* Copyright (c) 2007-2019 Juan Linietsky, Ariel Manzur.                 */
+/* Copyright (c) 2014-2019 Godot Engine contributors (cf. AUTHORS.md)    */
+/*                                                                       */
+/* Permission is hereby granted, free of charge, to any person obtaining */
+/* a copy of this software and associated documentation files (the       */
+/* "Software"), to deal in the Software without restriction, including   */
+/* without limitation the rights to use, copy, modify, merge, publish,   */
+/* distribute, sublicense, and/or sell copies of the Software, and to    */
+/* permit persons to whom the Software is furnished to do so, subject to */
+/* the following conditions:                                             */
+/*                                                                       */
+/* The above copyright notice and this permission notice shall be        */
+/* included in all copies or substantial portions of the Software.       */
+/*                                                                       */
+/* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,       */
+/* EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF    */
+/* MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.*/
+/* IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY  */
+/* CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,  */
+/* TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE     */
+/* SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.                */
+/*************************************************************************/
+
+#ifndef PACKET_PEER_MBED_DTLS_H
+#define PACKET_PEER_MBED_DTLS_H
+
+#include "core/io/packet_peer_dtls.h"
+#include "ssl_context_mbedtls.h"
+
+#include <mbedtls/timing.h>
+
+class PacketPeerMbedDTLS : public PacketPeerDTLS {
+private:
+	enum {
+		PACKET_BUFFER_SIZE = 65536
+	};
+
+	uint8_t packet_buffer[PACKET_BUFFER_SIZE];
+
+	Status status;
+	String hostname;
+
+	Ref<PacketPeerUDP> base;
+
+	static PacketPeerDTLS *_create_func();
+
+	static int bio_recv(void *ctx, unsigned char *buf, size_t len);
+	static int bio_send(void *ctx, const unsigned char *buf, size_t len);
+	void _cleanup();
+
+protected:
+	Ref<SSLContextMbedTLS> ssl_ctx;
+	mbedtls_timing_delay_context timer;
+
+	static void _bind_methods();
+
+	Error _do_handshake();
+	int _set_cookie();
+
+public:
+	virtual void poll();
+	virtual Error accept_peer(Ref<PacketPeerUDP> p_base, Ref<CryptoKey> p_key, Ref<X509Certificate> p_cert = Ref<X509Certificate>(), Ref<X509Certificate> p_ca_chain = Ref<X509Certificate>(), Ref<CookieContextMbedTLS> p_cookies = Ref<CookieContextMbedTLS>());
+	virtual Error connect_to_peer(Ref<PacketPeerUDP> p_base, bool p_validate_certs = false, const String &p_for_hostname = String(), Ref<X509Certificate> p_ca_certs = Ref<X509Certificate>());
+	virtual Status get_status() const;
+
+	virtual void disconnect_from_peer();
+
+	virtual Error get_packet(const uint8_t **r_buffer, int &r_buffer_size);
+	virtual Error put_packet(const uint8_t *p_buffer, int p_buffer_size);
+
+	virtual int get_available_packet_count() const;
+	virtual int get_max_packet_size() const;
+
+	static void initialize_dtls();
+	static void finalize_dtls();
+
+	PacketPeerMbedDTLS();
+	~PacketPeerMbedDTLS();
+};
+
+#endif // PACKET_PEER_MBED_DTLS_H
diff --git a/modules/mbedtls/register_types.cpp b/modules/mbedtls/register_types.cpp
index 8f9e2c370b..d39af7fe87 100755
--- a/modules/mbedtls/register_types.cpp
+++ b/modules/mbedtls/register_types.cpp
@@ -31,16 +31,22 @@
 #include "register_types.h"
 
 #include "crypto_mbedtls.h"
+#include "dtls_server_mbedtls.h"
+#include "packet_peer_mbed_dtls.h"
 #include "stream_peer_mbedtls.h"
 
 void register_mbedtls_types() {
 
 	CryptoMbedTLS::initialize_crypto();
 	StreamPeerMbedTLS::initialize_ssl();
+	PacketPeerMbedDTLS::initialize_dtls();
+	DTLSServerMbedTLS::initialize();
 }
 
 void unregister_mbedtls_types() {
 
+	DTLSServerMbedTLS::finalize();
+	PacketPeerMbedDTLS::finalize_dtls();
 	StreamPeerMbedTLS::finalize_ssl();
 	CryptoMbedTLS::finalize_crypto();
 }
diff --git a/modules/mbedtls/ssl_context_mbedtls.cpp b/modules/mbedtls/ssl_context_mbedtls.cpp
index 82584e3494..52630bd98c 100644
--- a/modules/mbedtls/ssl_context_mbedtls.cpp
+++ b/modules/mbedtls/ssl_context_mbedtls.cpp
@@ -38,6 +38,53 @@ static void my_debug(void *ctx, int level,
 	fflush(stdout);
 }
 
+void SSLContextMbedTLS::print_mbedtls_error(int p_ret) {
+	printf("mbedtls error: returned -0x%x\n\n", -p_ret);
+	fflush(stdout);
+}
+
+/// CookieContextMbedTLS
+
+Error CookieContextMbedTLS::setup() {
+	ERR_FAIL_COND_V_MSG(inited, ERR_ALREADY_IN_USE, "This cookie context is already in use");
+
+	mbedtls_ctr_drbg_init(&ctr_drbg);
+	mbedtls_entropy_init(&entropy);
+	mbedtls_ssl_cookie_init(&cookie_ctx);
+	inited = true;
+
+	int ret = mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func, &entropy, NULL, 0);
+	if (ret != 0) {
+		clear(); // Never leave unusable resources around.
+		ERR_FAIL_V_MSG(FAILED, "mbedtls_ctr_drbg_seed returned an error " + itos(ret));
+	}
+
+	ret = mbedtls_ssl_cookie_setup(&cookie_ctx, mbedtls_ctr_drbg_random, &ctr_drbg);
+	if (ret != 0) {
+		clear();
+		ERR_FAIL_V_MSG(FAILED, "mbedtls_ssl_cookie_setup returned an error " + itos(ret));
+	}
+	return OK;
+}
+
+void CookieContextMbedTLS::clear() {
+	if (!inited)
+		return;
+	mbedtls_ctr_drbg_free(&ctr_drbg);
+	mbedtls_entropy_free(&entropy);
+	mbedtls_ssl_cookie_free(&cookie_ctx);
+}
+
+CookieContextMbedTLS::CookieContextMbedTLS() {
+	inited = false;
+}
+
+CookieContextMbedTLS::~CookieContextMbedTLS() {
+	clear();
+}
+
+/// SSLContextMbedTLS
+
 Error SSLContextMbedTLS::_setup(int p_endpoint, int p_transport, int p_authmode) {
 	ERR_FAIL_COND_V_MSG(inited, ERR_ALREADY_IN_USE, "This SSL context is already active");
 
@@ -50,7 +97,7 @@ Error SSLContextMbedTLS::_setup(int p_endpoint, int p_transport, int p_authmode)
 	int ret = mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func, &entropy, NULL, 0);
 	if (ret != 0) {
 		clear(); // Never leave unusable resources around.
-		ERR_FAIL_V_MSG(FAILED, "mbedtls_ctr_drbg_seed returned an error" + itos(ret));
+		ERR_FAIL_V_MSG(FAILED, "mbedtls_ctr_drbg_seed returned an error " + itos(ret));
 	}
 
 	ret = mbedtls_ssl_config_defaults(&conf, p_endpoint, p_transport, MBEDTLS_SSL_PRESET_DEFAULT);
@@ -64,7 +111,7 @@ Error SSLContextMbedTLS::_setup(int p_endpoint, int p_transport, int p_authmode)
 	return OK;
 }
 
-Error SSLContextMbedTLS::init_server(int p_transport, int p_authmode, Ref<CryptoKeyMbedTLS> p_pkey, Ref<X509CertificateMbedTLS> p_cert) {
+Error SSLContextMbedTLS::init_server(int p_transport, int p_authmode, Ref<CryptoKeyMbedTLS> p_pkey, Ref<X509CertificateMbedTLS> p_cert, Ref<CookieContextMbedTLS> p_cookies) {
 	ERR_FAIL_COND_V(!p_pkey.is_valid(), ERR_INVALID_PARAMETER);
 	ERR_FAIL_COND_V(!p_cert.is_valid(), ERR_INVALID_PARAMETER);
 
@@ -89,6 +136,15 @@ Error SSLContextMbedTLS::init_server(int p_transport, int p_authmode, Ref<Crypto
 	if (certs->cert.next) {
 		mbedtls_ssl_conf_ca_chain(&conf, certs->cert.next, NULL);
 	}
+	// DTLS Cookies
+	if (p_transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
+		if (p_cookies.is_null() || !p_cookies->inited) {
+			clear();
+			ERR_FAIL_V(ERR_BUG);
+		}
+		cookies = p_cookies;
+		mbedtls_ssl_conf_dtls_cookies(&conf, mbedtls_ssl_cookie_write, mbedtls_ssl_cookie_check, &(cookies->cookie_ctx));
+	}
 	mbedtls_ssl_setup(&ssl, &conf);
 	return OK;
 }
@@ -134,6 +190,7 @@ void SSLContextMbedTLS::clear() {
 	if (pkey.is_valid())
 		pkey->unlock();
 	pkey = Ref<CryptoKeyMbedTLS>();
+	cookies = Ref<CookieContextMbedTLS>();
 	inited = false;
 }
 
diff --git a/modules/mbedtls/ssl_context_mbedtls.h b/modules/mbedtls/ssl_context_mbedtls.h
index 01b8b3fd4d..d3e1f87a8e 100644
--- a/modules/mbedtls/ssl_context_mbedtls.h
+++ b/modules/mbedtls/ssl_context_mbedtls.h
@@ -42,6 +42,27 @@
 #include <mbedtls/debug.h>
 #include <mbedtls/entropy.h>
 #include <mbedtls/ssl.h>
+#include <mbedtls/ssl_cookie.h>
+
+class SSLContextMbedTLS;
+
+class CookieContextMbedTLS : public Reference {
+
+	friend class SSLContextMbedTLS;
+
+protected:
+	bool inited;
+	mbedtls_entropy_context entropy;
+	mbedtls_ctr_drbg_context ctr_drbg;
+	mbedtls_ssl_cookie_ctx cookie_ctx;
+
+public:
+	Error setup();
+	void clear();
+
+	CookieContextMbedTLS();
+	~CookieContextMbedTLS();
+};
 
 class SSLContextMbedTLS : public Reference {
 
@@ -51,16 +72,19 @@ protected:
 	static PackedByteArray _read_file(String p_path);
 
 public:
+	static void print_mbedtls_error(int p_ret);
+
 	Ref<X509CertificateMbedTLS> certs;
 	mbedtls_entropy_context entropy;
 	mbedtls_ctr_drbg_context ctr_drbg;
 	mbedtls_ssl_context ssl;
 	mbedtls_ssl_config conf;
 
+	Ref<CookieContextMbedTLS> cookies;
 	Ref<CryptoKeyMbedTLS> pkey;
 
 	Error _setup(int p_endpoint, int p_transport, int p_authmode);
-	Error init_server(int p_transport, int p_authmode, Ref<CryptoKeyMbedTLS> p_pkey, Ref<X509CertificateMbedTLS> p_cert);
+	Error init_server(int p_transport, int p_authmode, Ref<CryptoKeyMbedTLS> p_pkey, Ref<X509CertificateMbedTLS> p_cert, Ref<CookieContextMbedTLS> p_cookies = Ref<CookieContextMbedTLS>());
 	Error init_client(int p_transport, int p_authmode, Ref<X509CertificateMbedTLS> p_valid_cas);
 	void clear();
 
diff --git a/modules/mbedtls/stream_peer_mbedtls.cpp b/modules/mbedtls/stream_peer_mbedtls.cpp
index f06327e0d5..03c5922267 100755
--- a/modules/mbedtls/stream_peer_mbedtls.cpp
+++ b/modules/mbedtls/stream_peer_mbedtls.cpp
@@ -33,11 +33,6 @@
 #include "core/io/stream_peer_tcp.h"
 #include "core/os/file_access.h"
 
-void _print_error(int ret) {
-	printf("mbedtls error: returned -0x%x\n\n", -ret);
-	fflush(stdout);
-}
-
 int StreamPeerMbedTLS::bio_send(void *ctx, const unsigned char *buf, size_t len) {
 
 	if (buf == NULL || len <= 0) return 0;
@@ -89,7 +84,7 @@ Error StreamPeerMbedTLS::_do_handshake() {
 		if (ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE) {
 			// An error occurred.
 			ERR_PRINT("TLS handshake error: " + itos(ret));
-			_print_error(ret);
+			SSLContextMbedTLS::print_mbedtls_error(ret);
 			disconnect_from_stream();
 			status = STATUS_ERROR;
 			return FAILED;
@@ -188,7 +183,7 @@ Error StreamPeerMbedTLS::put_partial_data(const uint8_t *p_data, int p_bytes, in
 		disconnect_from_stream();
 		return ERR_FILE_EOF;
 	} else if (ret <= 0) {
-		_print_error(ret);
+		SSLContextMbedTLS::print_mbedtls_error(ret);
 		disconnect_from_stream();
 		return ERR_CONNECTION_ERROR;
 	}
@@ -233,7 +228,7 @@ Error StreamPeerMbedTLS::get_partial_data(uint8_t *p_buffer, int p_bytes, int &r
 		disconnect_from_stream();
 		return ERR_FILE_EOF;
 	} else if (ret <= 0) {
-		_print_error(ret);
+		SSLContextMbedTLS::print_mbedtls_error(ret);
 		disconnect_from_stream();
 		return ERR_CONNECTION_ERROR;
 	}
@@ -264,7 +259,7 @@ void StreamPeerMbedTLS::poll() {
 		disconnect_from_stream();
 		return;
 	} else if (ret < 0) {
-		_print_error(ret);
+		SSLContextMbedTLS::print_mbedtls_error(ret);
 		disconnect_from_stream();
 		return;
 	}