[MBEDTLS] Update to version 2.7.10. CORE-15895

2025-08-02 06:15:52 +00:00 · 2019-03-27 15:40:37 +01:00 · 2019-03-27 15:40:37 +01:00 · ca86ee9c03
commit ca86ee9c03
parent ba1fb9ace9
40 changed files with 383 additions and 79 deletions
--- a/sdk/include/reactos/libs/mbedtls/aesni.h
+++ b/sdk/include/reactos/libs/mbedtls/aesni.h
@ -26,6 +26,12 @@
 #ifndef MBEDTLS_AESNI_H
 #define MBEDTLS_AESNI_H

+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
 #include "aes.h"

 #define MBEDTLS_AESNI_AES      0x02000000u
--- a/sdk/include/reactos/libs/mbedtls/asn1write.h
+++ b/sdk/include/reactos/libs/mbedtls/asn1write.h
@ -26,6 +26,12 @@
 #ifndef MBEDTLS_ASN1_WRITE_H
 #define MBEDTLS_ASN1_WRITE_H

+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
 #include "asn1.h"

 #define MBEDTLS_ASN1_CHK_ADD(g, f) do { if( ( ret = f ) < 0 ) return( ret ); else   \
@ -185,24 +191,27 @@ int mbedtls_asn1_write_ia5_string( unsigned char **p, unsigned char *start,
                           const char *text, size_t text_len );

 /**
- * \brief           Write a bitstring tag (MBEDTLS_ASN1_BIT_STRING) and
- *                  value in ASN.1 format
- *                  Note: function works backwards in data buffer
+ * \brief           Write a bitstring tag (#MBEDTLS_ASN1_BIT_STRING) and
+ *                  value in ASN.1 format.
 *
- * \param p         reference to current position pointer
- * \param start     start of the buffer (for bounds-checking)
- * \param buf       the bitstring
- * \param bits      the total number of bits in the bitstring
+ * \note            This function works backwards in data buffer.
 *
- * \return          the length written or a negative error code
+ * \param p         The reference to the current position pointer.
+ * \param start     The start of the buffer, for bounds-checking.
+ * \param buf       The bitstring to write.
+ * \param bits      The total number of bits in the bitstring.
+ *
+ * \return          The number of bytes written to \p p on success.
+ * \return          A negative error code on failure.
 */
 int mbedtls_asn1_write_bitstring( unsigned char **p, unsigned char *start,
                          const unsigned char *buf, size_t bits );

 /**
- * \brief           Write an octet string tag (MBEDTLS_ASN1_OCTET_STRING) and
- *                  value in ASN.1 format
- *                  Note: function works backwards in data buffer
+ * \brief           Write an octet string tag (#MBEDTLS_ASN1_OCTET_STRING)
+ *                  and value in ASN.1 format.
+ *
+ * \note            This function works backwards in data buffer.
 *
 * \param p         reference to current position pointer
 * \param start     start of the buffer (for bounds-checking)
--- a/sdk/include/reactos/libs/mbedtls/base64.h
+++ b/sdk/include/reactos/libs/mbedtls/base64.h
@ -26,6 +26,12 @@
 #ifndef MBEDTLS_BASE64_H
 #define MBEDTLS_BASE64_H

+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
 #include <stddef.h>

 #define MBEDTLS_ERR_BASE64_BUFFER_TOO_SMALL               -0x002A  /**< Output buffer too small. */
--- a/sdk/include/reactos/libs/mbedtls/bn_mul.h
+++ b/sdk/include/reactos/libs/mbedtls/bn_mul.h
@ -40,6 +40,12 @@
 #ifndef MBEDTLS_BN_MUL_H
 #define MBEDTLS_BN_MUL_H

+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
 #include "bignum.h"

 #if defined(MBEDTLS_HAVE_ASM)
@ -736,7 +742,7 @@
        "sw     $10, %2         \n\t"   \
        : "=m" (c), "=m" (d), "=m" (s)                      \
        : "m" (s), "m" (d), "m" (c), "m" (b)                \
-        : "$9", "$10", "$11", "$12", "$13", "$14", "$15"    \
+        : "$9", "$10", "$11", "$12", "$13", "$14", "$15", "lo", "hi" \
    );

 #endif /* MIPS */
--- a/sdk/include/reactos/libs/mbedtls/ccm.h
+++ b/sdk/include/reactos/libs/mbedtls/ccm.h
@ -36,6 +36,12 @@
 #ifndef MBEDTLS_CCM_H
 #define MBEDTLS_CCM_H

+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
 #include "cipher.h"

 #define MBEDTLS_ERR_CCM_BAD_INPUT       -0x000D /**< Bad input parameters to the function. */
--- a/sdk/include/reactos/libs/mbedtls/certs.h
+++ b/sdk/include/reactos/libs/mbedtls/certs.h
@ -26,6 +26,12 @@
 #ifndef MBEDTLS_CERTS_H
 #define MBEDTLS_CERTS_H

+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
 #include <stddef.h>

 #ifdef __cplusplus
--- a/sdk/include/reactos/libs/mbedtls/cmac.h
+++ b/sdk/include/reactos/libs/mbedtls/cmac.h
@ -28,6 +28,12 @@
 #ifndef MBEDTLS_CMAC_H
 #define MBEDTLS_CMAC_H

+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
 #include "cipher.h"

 #ifdef __cplusplus
--- a/sdk/include/reactos/libs/mbedtls/compat-1.3.h
+++ b/sdk/include/reactos/libs/mbedtls/compat-1.3.h
@ -27,6 +27,12 @@
 *  This file is part of mbed TLS (https://tls.mbed.org)
 */

+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
 #if ! defined(MBEDTLS_DEPRECATED_REMOVED)

 #if defined(MBEDTLS_DEPRECATED_WARNING)
--- a/sdk/include/reactos/libs/mbedtls/config.h
+++ b/sdk/include/reactos/libs/mbedtls/config.h
@ -558,6 +558,26 @@
 */
 #define MBEDTLS_REMOVE_ARC4_CIPHERSUITES

+/**
+ * \def MBEDTLS_REMOVE_3DES_CIPHERSUITES
+ *
+ * Remove 3DES ciphersuites by default in SSL / TLS.
+ * This flag removes the ciphersuites based on 3DES from the default list as
+ * returned by mbedtls_ssl_list_ciphersuites(). However, it is still possible
+ * to enable (some of) them with mbedtls_ssl_conf_ciphersuites() by including
+ * them explicitly.
+ *
+ * A man-in-the-browser attacker can recover authentication tokens sent through
+ * a TLS connection using a 3DES based cipher suite (see "On the Practical
+ * (In-)Security of 64-bit Block Ciphers" by Karthikeyan Bhargavan and Gaëtan
+ * Leurent, see https://sweet32.info/SWEET32_CCS16.pdf). If this attack falls
+ * in your threat model or you are unsure, then you should keep this option
+ * enabled to remove 3DES based cipher suites.
+ *
+ * Comment this macro to keep 3DES in the default ciphersuite list.
+ */
+#define MBEDTLS_REMOVE_3DES_CIPHERSUITES
+
 /**
 * \def MBEDTLS_ECP_DP_SECP192R1_ENABLED
 *
--- a/sdk/include/reactos/libs/mbedtls/ctr_drbg.h
+++ b/sdk/include/reactos/libs/mbedtls/ctr_drbg.h
@ -30,6 +30,12 @@
 #ifndef MBEDTLS_CTR_DRBG_H
 #define MBEDTLS_CTR_DRBG_H

+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
 #include "aes.h"

 #if defined(MBEDTLS_THREADING_C)
--- a/sdk/include/reactos/libs/mbedtls/ecdh.h
+++ b/sdk/include/reactos/libs/mbedtls/ecdh.h
@ -35,6 +35,12 @@
 #ifndef MBEDTLS_ECDH_H
 #define MBEDTLS_ECDH_H

+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
 #include "ecp.h"

 #ifdef __cplusplus
--- a/sdk/include/reactos/libs/mbedtls/ecdsa.h
+++ b/sdk/include/reactos/libs/mbedtls/ecdsa.h
@ -33,6 +33,12 @@
 #ifndef MBEDTLS_ECDSA_H
 #define MBEDTLS_ECDSA_H

+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
 #include "ecp.h"
 #include "md.h"

--- a/sdk/include/reactos/libs/mbedtls/ecjpake.h
+++ b/sdk/include/reactos/libs/mbedtls/ecjpake.h
@ -42,6 +42,11 @@
 * The payloads are serialized in a way suitable for use in TLS, but could
 * also be use outside TLS.
 */
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif

 #include "ecp.h"
 #include "md.h"
--- a/sdk/include/reactos/libs/mbedtls/ecp.h
+++ b/sdk/include/reactos/libs/mbedtls/ecp.h
@ -26,6 +26,12 @@
 #ifndef MBEDTLS_ECP_H
 #define MBEDTLS_ECP_H

+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
 #include "bignum.h"

 /*
--- a/sdk/include/reactos/libs/mbedtls/ecp_internal.h
+++ b/sdk/include/reactos/libs/mbedtls/ecp_internal.h
@ -63,6 +63,12 @@
 #ifndef MBEDTLS_ECP_INTERNAL_H
 #define MBEDTLS_ECP_INTERNAL_H

+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
 #if defined(MBEDTLS_ECP_INTERNAL_ALT)

 /**
--- a/sdk/include/reactos/libs/mbedtls/error.h
+++ b/sdk/include/reactos/libs/mbedtls/error.h
@ -26,6 +26,12 @@
 #ifndef MBEDTLS_ERROR_H
 #define MBEDTLS_ERROR_H

+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
 #include <stddef.h>

 /**
--- a/sdk/include/reactos/libs/mbedtls/gcm.h
+++ b/sdk/include/reactos/libs/mbedtls/gcm.h
@ -33,6 +33,12 @@
 #ifndef MBEDTLS_GCM_H
 #define MBEDTLS_GCM_H

+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
 #include "cipher.h"

 #include <stdint.h>
--- a/sdk/include/reactos/libs/mbedtls/havege.h
+++ b/sdk/include/reactos/libs/mbedtls/havege.h
@ -26,6 +26,12 @@
 #ifndef MBEDTLS_HAVEGE_H
 #define MBEDTLS_HAVEGE_H

+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
 #include <stddef.h>

 #define MBEDTLS_HAVEGE_COLLECT_SIZE 1024
--- a/sdk/include/reactos/libs/mbedtls/hmac_drbg.h
+++ b/sdk/include/reactos/libs/mbedtls/hmac_drbg.h
@ -26,6 +26,12 @@
 #ifndef MBEDTLS_HMAC_DRBG_H
 #define MBEDTLS_HMAC_DRBG_H

+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
 #include "md.h"

 #if defined(MBEDTLS_THREADING_C)
--- a/sdk/include/reactos/libs/mbedtls/net.h
+++ b/sdk/include/reactos/libs/mbedtls/net.h
@ -25,6 +25,11 @@
 *
 *  This file is part of mbed TLS (https://tls.mbed.org)
 */
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif

 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
 #include "net_sockets.h"
--- a/sdk/include/reactos/libs/mbedtls/padlock.h
+++ b/sdk/include/reactos/libs/mbedtls/padlock.h
@ -27,6 +27,12 @@
 #ifndef MBEDTLS_PADLOCK_H
 #define MBEDTLS_PADLOCK_H

+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
 #include "aes.h"

 #define MBEDTLS_ERR_PADLOCK_DATA_MISALIGNED               -0x0030  /**< Input data should be aligned. */
--- a/sdk/include/reactos/libs/mbedtls/pem.h
+++ b/sdk/include/reactos/libs/mbedtls/pem.h
@ -26,6 +26,12 @@
 #ifndef MBEDTLS_PEM_H
 #define MBEDTLS_PEM_H

+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
 #include <stddef.h>

 /**
--- a/sdk/include/reactos/libs/mbedtls/pkcs12.h
+++ b/sdk/include/reactos/libs/mbedtls/pkcs12.h
@ -26,6 +26,12 @@
 #ifndef MBEDTLS_PKCS12_H
 #define MBEDTLS_PKCS12_H

+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
 #include "md.h"
 #include "cipher.h"
 #include "asn1.h"
--- a/sdk/include/reactos/libs/mbedtls/pkcs5.h
+++ b/sdk/include/reactos/libs/mbedtls/pkcs5.h
@ -28,6 +28,12 @@
 #ifndef MBEDTLS_PKCS5_H
 #define MBEDTLS_PKCS5_H

+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
 #include "asn1.h"
 #include "md.h"

--- a/sdk/include/reactos/libs/mbedtls/ssl_cache.h
+++ b/sdk/include/reactos/libs/mbedtls/ssl_cache.h
@ -26,6 +26,12 @@
 #ifndef MBEDTLS_SSL_CACHE_H
 #define MBEDTLS_SSL_CACHE_H

+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
 #include "ssl.h"

 #if defined(MBEDTLS_THREADING_C)
--- a/sdk/include/reactos/libs/mbedtls/ssl_ciphersuites.h
+++ b/sdk/include/reactos/libs/mbedtls/ssl_ciphersuites.h
@ -26,6 +26,12 @@
 #ifndef MBEDTLS_SSL_CIPHERSUITES_H
 #define MBEDTLS_SSL_CIPHERSUITES_H

+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
 #include "pk.h"
 #include "cipher.h"
 #include "md.h"
--- a/sdk/include/reactos/libs/mbedtls/ssl_cookie.h
+++ b/sdk/include/reactos/libs/mbedtls/ssl_cookie.h
@ -26,6 +26,12 @@
 #ifndef MBEDTLS_SSL_COOKIE_H
 #define MBEDTLS_SSL_COOKIE_H

+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
 #include "ssl.h"

 #if defined(MBEDTLS_THREADING_C)
--- a/sdk/include/reactos/libs/mbedtls/ssl_internal.h
+++ b/sdk/include/reactos/libs/mbedtls/ssl_internal.h
@ -26,6 +26,12 @@
 #ifndef MBEDTLS_SSL_INTERNAL_H
 #define MBEDTLS_SSL_INTERNAL_H

+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
 #include "ssl.h"
 #include "cipher.h"

--- a/sdk/include/reactos/libs/mbedtls/ssl_ticket.h
+++ b/sdk/include/reactos/libs/mbedtls/ssl_ticket.h
@ -26,6 +26,12 @@
 #ifndef MBEDTLS_SSL_TICKET_H
 #define MBEDTLS_SSL_TICKET_H

+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
 /*
 * This implementation of the session ticket callbacks includes key
 * management, rotating the keys periodically in order to preserve forward
--- a/sdk/include/reactos/libs/mbedtls/version.h
+++ b/sdk/include/reactos/libs/mbedtls/version.h
@ -42,16 +42,16 @@
 */
 #define MBEDTLS_VERSION_MAJOR  2
 #define MBEDTLS_VERSION_MINOR  7
-#define MBEDTLS_VERSION_PATCH  9
+#define MBEDTLS_VERSION_PATCH  10

 /**
 * The single version number has the following structure:
 *    MMNNPP00
 *    Major version | Minor version | Patch version
 */
-#define MBEDTLS_VERSION_NUMBER         0x02070900
-#define MBEDTLS_VERSION_STRING         "2.7.9"
-#define MBEDTLS_VERSION_STRING_FULL    "mbed TLS 2.7.9"
+#define MBEDTLS_VERSION_NUMBER         0x02070A00
+#define MBEDTLS_VERSION_STRING         "2.7.10"
+#define MBEDTLS_VERSION_STRING_FULL    "mbed TLS 2.7.10"

 #if defined(MBEDTLS_VERSION_C)

--- a/sdk/include/reactos/libs/mbedtls/x509_csr.h
+++ b/sdk/include/reactos/libs/mbedtls/x509_csr.h
@ -207,6 +207,14 @@ void mbedtls_x509write_csr_set_md_alg( mbedtls_x509write_csr *ctx, mbedtls_md_ty
 * \param key_usage key usage flags to set
 *
 * \return          0 if successful, or MBEDTLS_ERR_X509_ALLOC_FAILED
+ *
+ * \note            The <code>decipherOnly</code> flag from the Key Usage
+ *                  extension is represented by bit 8 (i.e.
+ *                  <code>0x8000</code>), which cannot typically be represented
+ *                  in an unsigned char. Therefore, the flag
+ *                  <code>decipherOnly</code> (i.e.
+ *                  #MBEDTLS_X509_KU_DECIPHER_ONLY) cannot be set using this
+ *                  function.
 */
 int mbedtls_x509write_csr_set_key_usage( mbedtls_x509write_csr *ctx, unsigned char key_usage );