30 Mar
2019
30 Mar
'19
1:58 p.m.
https://git.reactos.org/?p=reactos.git;a=commitdiff;h=ca86ee9c037111718c0b2…
commit ca86ee9c037111718c0b2c1be284b987c445fdee
Author: Thomas Faber <thomas.faber(a)reactos.org>
AuthorDate: Wed Mar 27 15:40:37 2019 +0100
Commit: Thomas Faber <thomas.faber(a)reactos.org>
CommitDate: Sat Mar 30 14:57:40 2019 +0100
[MBEDTLS] Update to version 2.7.10. CORE-15895
---
dll/3rdparty/mbedtls/asn1write.c | 28 ++++++-----
dll/3rdparty/mbedtls/bignum.c | 38 ++++++++++-----
dll/3rdparty/mbedtls/ecdsa.c | 9 +++-
dll/3rdparty/mbedtls/ssl_ciphersuites.c | 57 +++++++++++++---------
dll/3rdparty/mbedtls/version_features.c | 3 ++
dll/3rdparty/mbedtls/x509_csr.c | 15 ++++--
dll/3rdparty/mbedtls/x509write_crt.c | 47 +++++++++++++++---
dll/3rdparty/mbedtls/x509write_csr.c | 36 ++++++++++++--
media/doc/3rd Party Files.txt | 2 +-
sdk/include/reactos/libs/mbedtls/aesni.h | 6 +++
sdk/include/reactos/libs/mbedtls/asn1write.h | 31 +++++++-----
sdk/include/reactos/libs/mbedtls/base64.h | 6 +++
sdk/include/reactos/libs/mbedtls/bn_mul.h | 8 ++-
sdk/include/reactos/libs/mbedtls/ccm.h | 6 +++
sdk/include/reactos/libs/mbedtls/certs.h | 6 +++
sdk/include/reactos/libs/mbedtls/cmac.h | 6 +++
sdk/include/reactos/libs/mbedtls/compat-1.3.h | 6 +++
sdk/include/reactos/libs/mbedtls/config.h | 20 ++++++++
sdk/include/reactos/libs/mbedtls/ctr_drbg.h | 6 +++
sdk/include/reactos/libs/mbedtls/ecdh.h | 6 +++
sdk/include/reactos/libs/mbedtls/ecdsa.h | 6 +++
sdk/include/reactos/libs/mbedtls/ecjpake.h | 5 ++
sdk/include/reactos/libs/mbedtls/ecp.h | 6 +++
sdk/include/reactos/libs/mbedtls/ecp_internal.h | 6 +++
sdk/include/reactos/libs/mbedtls/error.h | 6 +++
sdk/include/reactos/libs/mbedtls/gcm.h | 6 +++
sdk/include/reactos/libs/mbedtls/havege.h | 6 +++
sdk/include/reactos/libs/mbedtls/hmac_drbg.h | 6 +++
sdk/include/reactos/libs/mbedtls/net.h | 5 ++
sdk/include/reactos/libs/mbedtls/padlock.h | 6 +++
sdk/include/reactos/libs/mbedtls/pem.h | 6 +++
sdk/include/reactos/libs/mbedtls/pkcs12.h | 6 +++
sdk/include/reactos/libs/mbedtls/pkcs5.h | 6 +++
sdk/include/reactos/libs/mbedtls/ssl_cache.h | 6 +++
.../reactos/libs/mbedtls/ssl_ciphersuites.h | 6 +++
sdk/include/reactos/libs/mbedtls/ssl_cookie.h | 6 +++
sdk/include/reactos/libs/mbedtls/ssl_internal.h | 6 +++
sdk/include/reactos/libs/mbedtls/ssl_ticket.h | 6 +++
sdk/include/reactos/libs/mbedtls/version.h | 8 +--
sdk/include/reactos/libs/mbedtls/x509_csr.h | 8 +++
40 files changed, 384 insertions(+), 80 deletions(-)
diff --git a/dll/3rdparty/mbedtls/asn1write.c b/dll/3rdparty/mbedtls/asn1write.c
index bbcba87ce5..0025053cab 100644
--- a/dll/3rdparty/mbedtls/asn1write.c
+++ b/dll/3rdparty/mbedtls/asn1write.c
@@ -296,22 +296,28 @@ int mbedtls_asn1_write_bitstring( unsigned char **p, unsigned char
*start,
const unsigned char *buf, size_t bits )
{
int ret;
- size_t len = 0, size;
+ size_t len = 0;
+ size_t unused_bits, byte_len;
- size = ( bits / 8 ) + ( ( bits % 8 ) ? 1 : 0 );
+ byte_len = ( bits + 7 ) / 8;
+ unused_bits = ( byte_len * 8 ) - bits;
- // Calculate byte length
- //
- if( *p < start || (size_t)( *p - start ) < size + 1 )
+ if( *p < start || (size_t)( *p - start ) < byte_len + 1 )
return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
- len = size + 1;
- (*p) -= size;
- memcpy( *p, buf, size );
+ len = byte_len + 1;
- // Write unused bits
- //
- *--(*p) = (unsigned char) (size * 8 - bits);
+ /* Write the bitstring. Ensure the unused bits are zeroed */
+ if( byte_len > 0 )
+ {
+ byte_len--;
+ *--( *p ) = buf[byte_len] & ~( ( 0x1 << unused_bits ) - 1 );
+ ( *p ) -= byte_len;
+ memcpy( *p, buf, byte_len );
+ }
+
+ /* Write unused bits */
+ *--( *p ) = (unsigned char)unused_bits;
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( p, start, len ) );
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( p, start, MBEDTLS_ASN1_BIT_STRING
) );
diff --git a/dll/3rdparty/mbedtls/bignum.c b/dll/3rdparty/mbedtls/bignum.c
index 7194bf895a..9b4eee4893 100644
--- a/dll/3rdparty/mbedtls/bignum.c
+++ b/dll/3rdparty/mbedtls/bignum.c
@@ -502,26 +502,38 @@ cleanup:
}
/*
- * Helper to write the digits high-order first
+ * Helper to write the digits high-order first.
*/
-static int mpi_write_hlp( mbedtls_mpi *X, int radix, char **p )
+static int mpi_write_hlp( mbedtls_mpi *X, int radix,
+ char **p, const size_t buflen )
{
int ret;
mbedtls_mpi_uint r;
+ size_t length = 0;
+ char *p_end = *p + buflen;
- if( radix < 2 || radix > 16 )
- return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );
+ do
+ {
+ if( length >= buflen )
+ {
+ return( MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL );
+ }
- MBEDTLS_MPI_CHK( mbedtls_mpi_mod_int( &r, X, radix ) );
- MBEDTLS_MPI_CHK( mbedtls_mpi_div_int( X, NULL, X, radix ) );
+ MBEDTLS_MPI_CHK( mbedtls_mpi_mod_int( &r, X, radix ) );
+ MBEDTLS_MPI_CHK( mbedtls_mpi_div_int( X, NULL, X, radix ) );
+ /*
+ * Write the residue in the current position, as an ASCII character.
+ */
+ if( r < 0xA )
+ *(--p_end) = (char)( '0' + r );
+ else
+ *(--p_end) = (char)( 'A' + ( r - 0xA ) );
- if( mbedtls_mpi_cmp_int( X, 0 ) != 0 )
- MBEDTLS_MPI_CHK( mpi_write_hlp( X, radix, p ) );
+ length++;
+ } while( mbedtls_mpi_cmp_int( X, 0 ) != 0 );
- if( r < 10 )
- *(*p)++ = (char)( r + 0x30 );
- else
- *(*p)++ = (char)( r + 0x37 );
+ memmove( *p, p_end, length );
+ *p += length;
cleanup:
@@ -591,7 +603,7 @@ int mbedtls_mpi_write_string( const mbedtls_mpi *X, int radix,
if( T.s == -1 )
T.s = 1;
- MBEDTLS_MPI_CHK( mpi_write_hlp( &T, radix, &p ) );
+ MBEDTLS_MPI_CHK( mpi_write_hlp( &T, radix, &p, buflen ) );
}
*p++ = '\0';
diff --git a/dll/3rdparty/mbedtls/ecdsa.c b/dll/3rdparty/mbedtls/ecdsa.c
index e97e6cb433..3f2cf1d31f 100644
--- a/dll/3rdparty/mbedtls/ecdsa.c
+++ b/dll/3rdparty/mbedtls/ecdsa.c
@@ -422,8 +422,13 @@ cleanup:
int mbedtls_ecdsa_genkey( mbedtls_ecdsa_context *ctx, mbedtls_ecp_group_id gid,
int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
{
- return( mbedtls_ecp_group_load( &ctx->grp, gid ) ||
- mbedtls_ecp_gen_keypair( &ctx->grp, &ctx->d, &ctx->Q,
f_rng, p_rng ) );
+ int ret = 0;
+ ret = mbedtls_ecp_group_load( &ctx->grp, gid );
+ if( ret != 0 )
+ return( ret );
+
+ return( mbedtls_ecp_gen_keypair( &ctx->grp, &ctx->d,
+ &ctx->Q, f_rng, p_rng ) );
}
#endif /* MBEDTLS_ECDSA_GENKEY_ALT */
diff --git a/dll/3rdparty/mbedtls/ssl_ciphersuites.c
b/dll/3rdparty/mbedtls/ssl_ciphersuites.c
index b9b21ad8f2..46d9a57674 100644
--- a/dll/3rdparty/mbedtls/ssl_ciphersuites.c
+++ b/dll/3rdparty/mbedtls/ssl_ciphersuites.c
@@ -45,11 +45,11 @@
/*
* Ordered from most preferred to least preferred in terms of security.
*
- * Current rule (except rc4, weak and null which come last):
+ * Current rule (except RC4 and 3DES, weak and null which come last):
* 1. By key exchange:
* Forward-secure non-PSK > forward-secure PSK > ECJPAKE > other non-PSK >
other PSK
* 2. By key length and cipher:
- * AES-256 > Camellia-256 > AES-128 > Camellia-128 > 3DES
+ * AES-256 > Camellia-256 > AES-128 > Camellia-128
* 3. By cipher mode when relevant GCM > CCM > CBC > CCM_8
* 4. By hash function used when relevant
* 5. By key exchange/auth again: EC > non-EC
@@ -107,11 +107,6 @@ static const int ciphersuite_preference[] =
MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
- /* All remaining >= 128-bit ephemeral suites */
- MBEDTLS_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
- MBEDTLS_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
- MBEDTLS_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
-
/* The PSK ephemeral suites */
MBEDTLS_TLS_DHE_PSK_WITH_AES_256_GCM_SHA384,
MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CCM,
@@ -135,9 +130,6 @@ static const int ciphersuite_preference[] =
MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256,
MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CCM_8,
- MBEDTLS_TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA,
- MBEDTLS_TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA,
-
/* The ECJPAKE suite */
MBEDTLS_TLS_ECJPAKE_WITH_AES_128_CCM_8,
@@ -185,11 +177,6 @@ static const int ciphersuite_preference[] =
MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256,
MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256,
- /* All remaining >= 128-bit suites */
- MBEDTLS_TLS_RSA_WITH_3DES_EDE_CBC_SHA,
- MBEDTLS_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,
- MBEDTLS_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,
-
/* The RSA PSK suites */
MBEDTLS_TLS_RSA_PSK_WITH_AES_256_GCM_SHA384,
MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA384,
@@ -203,8 +190,6 @@ static const int ciphersuite_preference[] =
MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256,
MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256,
- MBEDTLS_TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA,
-
/* The PSK suites */
MBEDTLS_TLS_PSK_WITH_AES_256_GCM_SHA384,
MBEDTLS_TLS_PSK_WITH_AES_256_CCM,
@@ -222,6 +207,16 @@ static const int ciphersuite_preference[] =
MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256,
MBEDTLS_TLS_PSK_WITH_AES_128_CCM_8,
+ /* 3DES suites */
+ MBEDTLS_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
+ MBEDTLS_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
+ MBEDTLS_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
+ MBEDTLS_TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA,
+ MBEDTLS_TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA,
+ MBEDTLS_TLS_RSA_WITH_3DES_EDE_CBC_SHA,
+ MBEDTLS_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,
+ MBEDTLS_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,
+ MBEDTLS_TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA,
MBEDTLS_TLS_PSK_WITH_3DES_EDE_CBC_SHA,
/* RC4 suites */
@@ -1706,6 +1701,26 @@ const int *mbedtls_ssl_list_ciphersuites( void )
static int supported_ciphersuites[MAX_CIPHERSUITES];
static int supported_init = 0;
+static int ciphersuite_is_removed( const mbedtls_ssl_ciphersuite_t *cs_info )
+{
+ (void)cs_info;
+
+#if defined(MBEDTLS_REMOVE_ARC4_CIPHERSUITES)
+ if( cs_info->cipher == MBEDTLS_CIPHER_ARC4_128 )
+ return( 1 );
+#endif /* MBEDTLS_REMOVE_ARC4_CIPHERSUITES */
+
+#if defined(MBEDTLS_REMOVE_3DES_CIPHERSUITES)
+ if( cs_info->cipher == MBEDTLS_CIPHER_DES_EDE3_ECB ||
+ cs_info->cipher == MBEDTLS_CIPHER_DES_EDE3_CBC )
+ {
+ return( 1 );
+ }
+#endif /* MBEDTLS_REMOVE_3DES_CIPHERSUITES */
+
+ return( 0 );
+}
+
const int *mbedtls_ssl_list_ciphersuites( void )
{
/*
@@ -1721,14 +1736,12 @@ const int *mbedtls_ssl_list_ciphersuites( void )
*p != 0 && q < supported_ciphersuites + MAX_CIPHERSUITES - 1;
p++ )
{
-#if defined(MBEDTLS_REMOVE_ARC4_CIPHERSUITES)
const mbedtls_ssl_ciphersuite_t *cs_info;
if( ( cs_info = mbedtls_ssl_ciphersuite_from_id( *p ) ) != NULL &&
- cs_info->cipher != MBEDTLS_CIPHER_ARC4_128 )
-#else
- if( mbedtls_ssl_ciphersuite_from_id( *p ) != NULL )
-#endif
+ !ciphersuite_is_removed( cs_info ) )
+ {
*(q++) = *p;
+ }
}
*q = 0;
diff --git a/dll/3rdparty/mbedtls/version_features.c
b/dll/3rdparty/mbedtls/version_features.c
index e4605a4f00..eaae48cce5 100644
--- a/dll/3rdparty/mbedtls/version_features.c
+++ b/dll/3rdparty/mbedtls/version_features.c
@@ -272,6 +272,9 @@ static const char *features[] = {
#if defined(MBEDTLS_REMOVE_ARC4_CIPHERSUITES)
"MBEDTLS_REMOVE_ARC4_CIPHERSUITES",
#endif /* MBEDTLS_REMOVE_ARC4_CIPHERSUITES */
+#if defined(MBEDTLS_REMOVE_3DES_CIPHERSUITES)
+ "MBEDTLS_REMOVE_3DES_CIPHERSUITES",
+#endif /* MBEDTLS_REMOVE_3DES_CIPHERSUITES */
#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED)
"MBEDTLS_ECP_DP_SECP192R1_ENABLED",
#endif /* MBEDTLS_ECP_DP_SECP192R1_ENABLED */
diff --git a/dll/3rdparty/mbedtls/x509_csr.c b/dll/3rdparty/mbedtls/x509_csr.c
index c153613577..7598938d0c 100644
--- a/dll/3rdparty/mbedtls/x509_csr.c
+++ b/dll/3rdparty/mbedtls/x509_csr.c
@@ -285,15 +285,24 @@ int mbedtls_x509_csr_parse( mbedtls_x509_csr *csr, const unsigned
char *buf, siz
{
mbedtls_pem_init( &pem );
ret = mbedtls_pem_read_buffer( &pem,
- "-----BEGIN CERTIFICATE REQUEST-----",
- "-----END CERTIFICATE REQUEST-----",
- buf, NULL, 0, &use_len );
+ "-----BEGIN CERTIFICATE REQUEST-----",
+ "-----END CERTIFICATE REQUEST-----",
+ buf, NULL, 0, &use_len );
+ if( ret == MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT )
+ {
+ ret = mbedtls_pem_read_buffer( &pem,
+ "-----BEGIN NEW CERTIFICATE
REQUEST-----",
+ "-----END NEW CERTIFICATE
REQUEST-----",
+ buf, NULL, 0, &use_len );
+ }
if( ret == 0 )
+ {
/*
* Was PEM encoded, parse the result
*/
ret = mbedtls_x509_csr_parse_der( csr, pem.buf, pem.buflen );
+ }
mbedtls_pem_free( &pem );
if( ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT )
diff --git a/dll/3rdparty/mbedtls/x509write_crt.c b/dll/3rdparty/mbedtls/x509write_crt.c
index 3512be5f1d..a3aeeb5edc 100644
--- a/dll/3rdparty/mbedtls/x509write_crt.c
+++ b/dll/3rdparty/mbedtls/x509write_crt.c
@@ -224,26 +224,51 @@ int mbedtls_x509write_crt_set_authority_key_identifier(
mbedtls_x509write_cert *
}
#endif /* MBEDTLS_SHA1_C */
+static size_t crt_get_unused_bits_for_named_bitstring( unsigned char bitstring,
+ size_t bit_offset )
+{
+ size_t unused_bits;
+
+ /* Count the unused bits removing trailing 0s */
+ for( unused_bits = bit_offset; unused_bits < 8; unused_bits++ )
+ if( ( ( bitstring >> unused_bits ) & 0x1 ) != 0 )
+ break;
+
+ return( unused_bits );
+}
+
int mbedtls_x509write_crt_set_key_usage( mbedtls_x509write_cert *ctx,
unsigned int key_usage )
{
unsigned char buf[4], ku;
unsigned char *c;
int ret;
-
- /* We currently only support 7 bits, from 0x80 to 0x02 */
- if( ( key_usage & ~0xfe ) != 0 )
+ size_t unused_bits;
+ const unsigned int allowed_bits = MBEDTLS_X509_KU_DIGITAL_SIGNATURE |
+ MBEDTLS_X509_KU_NON_REPUDIATION |
+ MBEDTLS_X509_KU_KEY_ENCIPHERMENT |
+ MBEDTLS_X509_KU_DATA_ENCIPHERMENT |
+ MBEDTLS_X509_KU_KEY_AGREEMENT |
+ MBEDTLS_X509_KU_KEY_CERT_SIGN |
+ MBEDTLS_X509_KU_CRL_SIGN;
+
+ /* Check that nothing other than the allowed flags is set */
+ if( ( key_usage & ~allowed_bits ) != 0 )
return( MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE );
c = buf + 4;
- ku = (unsigned char) key_usage;
+ ku = (unsigned char)key_usage;
+ unused_bits = crt_get_unused_bits_for_named_bitstring( ku, 1 );
+ ret = mbedtls_asn1_write_bitstring( &c, buf, &ku, 8 - unused_bits );
- if( ( ret = mbedtls_asn1_write_bitstring( &c, buf, &ku, 7 ) ) != 4 )
+ if( ret < 0 )
return( ret );
+ else if( ret < 3 || ret > 4 )
+ return( MBEDTLS_ERR_X509_INVALID_FORMAT );
ret = mbedtls_x509write_crt_set_extension( ctx, MBEDTLS_OID_KEY_USAGE,
MBEDTLS_OID_SIZE( MBEDTLS_OID_KEY_USAGE ),
- 1, buf, 4 );
+ 1, c, (size_t)ret );
if( ret != 0 )
return( ret );
@@ -255,16 +280,22 @@ int mbedtls_x509write_crt_set_ns_cert_type( mbedtls_x509write_cert
*ctx,
{
unsigned char buf[4];
unsigned char *c;
+ size_t unused_bits;
int ret;
c = buf + 4;
- if( ( ret = mbedtls_asn1_write_bitstring( &c, buf, &ns_cert_type, 8 ) ) != 4
)
+ unused_bits = crt_get_unused_bits_for_named_bitstring( ns_cert_type, 0 );
+ ret = mbedtls_asn1_write_bitstring( &c,
+ buf,
+ &ns_cert_type,
+ 8 - unused_bits );
+ if( ret < 3 || ret > 4 )
return( ret );
ret = mbedtls_x509write_crt_set_extension( ctx, MBEDTLS_OID_NS_CERT_TYPE,
MBEDTLS_OID_SIZE( MBEDTLS_OID_NS_CERT_TYPE ),
- 0, buf, 4 );
+ 0, c, (size_t)ret );
if( ret != 0 )
return( ret );
diff --git a/dll/3rdparty/mbedtls/x509write_csr.c b/dll/3rdparty/mbedtls/x509write_csr.c
index 1db31c3ef4..394fa3f3fc 100644
--- a/dll/3rdparty/mbedtls/x509write_csr.c
+++ b/dll/3rdparty/mbedtls/x509write_csr.c
@@ -87,20 +87,39 @@ int mbedtls_x509write_csr_set_extension( mbedtls_x509write_csr *ctx,
0, val, val_len );
}
+static size_t csr_get_unused_bits_for_named_bitstring( unsigned char bitstring,
+ size_t bit_offset )
+{
+ size_t unused_bits;
+
+ /* Count the unused bits removing trailing 0s */
+ for( unused_bits = bit_offset; unused_bits < 8; unused_bits++ )
+ if( ( ( bitstring >> unused_bits ) & 0x1 ) != 0 )
+ break;
+
+ return( unused_bits );
+}
+
int mbedtls_x509write_csr_set_key_usage( mbedtls_x509write_csr *ctx, unsigned char
key_usage )
{
unsigned char buf[4];
unsigned char *c;
+ size_t unused_bits;
int ret;
c = buf + 4;
- if( ( ret = mbedtls_asn1_write_bitstring( &c, buf, &key_usage, 7 ) ) != 4 )
+ unused_bits = csr_get_unused_bits_for_named_bitstring( key_usage, 0 );
+ ret = mbedtls_asn1_write_bitstring( &c, buf, &key_usage, 8 - unused_bits );
+
+ if( ret < 0 )
return( ret );
+ else if( ret < 3 || ret > 4 )
+ return( MBEDTLS_ERR_X509_INVALID_FORMAT );
ret = mbedtls_x509write_csr_set_extension( ctx, MBEDTLS_OID_KEY_USAGE,
MBEDTLS_OID_SIZE( MBEDTLS_OID_KEY_USAGE ),
- buf, 4 );
+ c, (size_t)ret );
if( ret != 0 )
return( ret );
@@ -112,16 +131,25 @@ int mbedtls_x509write_csr_set_ns_cert_type( mbedtls_x509write_csr
*ctx,
{
unsigned char buf[4];
unsigned char *c;
+ size_t unused_bits;
int ret;
c = buf + 4;
- if( ( ret = mbedtls_asn1_write_bitstring( &c, buf, &ns_cert_type, 8 ) ) != 4
)
+ unused_bits = csr_get_unused_bits_for_named_bitstring( ns_cert_type, 0 );
+ ret = mbedtls_asn1_write_bitstring( &c,
+ buf,
+ &ns_cert_type,
+ 8 - unused_bits );
+
+ if( ret < 0 )
+ return( ret );
+ else if( ret < 3 || ret > 4 )
return( ret );
ret = mbedtls_x509write_csr_set_extension( ctx, MBEDTLS_OID_NS_CERT_TYPE,
MBEDTLS_OID_SIZE( MBEDTLS_OID_NS_CERT_TYPE ),
- buf, 4 );
+ c, (size_t)ret );
if( ret != 0 )
return( ret );
diff --git a/media/doc/3rd Party Files.txt b/media/doc/3rd Party Files.txt
index e82f0aff3f..eae8f6caff 100644
--- a/media/doc/3rd Party Files.txt
+++ b/media/doc/3rd Party Files.txt
@@ -87,7 +87,7 @@ Used Version: 4.0.10
Website: http://www.simplesystems.org/libtiff/
Title: mbed TLS
-Used Version: 2.7.9
+Used Version: 2.7.10
Website: https://tls.mbed.org/
Title: libpng
diff --git a/sdk/include/reactos/libs/mbedtls/aesni.h
b/sdk/include/reactos/libs/mbedtls/aesni.h
index 1aebdfc0e9..c2fec4da60 100644
--- a/sdk/include/reactos/libs/mbedtls/aesni.h
+++ b/sdk/include/reactos/libs/mbedtls/aesni.h
@@ -26,6 +26,12 @@
#ifndef MBEDTLS_AESNI_H
#define MBEDTLS_AESNI_H
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
#include "aes.h"
#define MBEDTLS_AESNI_AES 0x02000000u
diff --git a/sdk/include/reactos/libs/mbedtls/asn1write.h
b/sdk/include/reactos/libs/mbedtls/asn1write.h
index 0b832e5c2a..2ced49d978 100644
--- a/sdk/include/reactos/libs/mbedtls/asn1write.h
+++ b/sdk/include/reactos/libs/mbedtls/asn1write.h
@@ -26,6 +26,12 @@
#ifndef MBEDTLS_ASN1_WRITE_H
#define MBEDTLS_ASN1_WRITE_H
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
#include "asn1.h"
#define MBEDTLS_ASN1_CHK_ADD(g, f) do { if( ( ret = f ) < 0 ) return( ret ); else \
@@ -185,24 +191,27 @@ int mbedtls_asn1_write_ia5_string( unsigned char **p, unsigned char
*start,
const char *text, size_t text_len );
/**
- * \brief Write a bitstring tag (MBEDTLS_ASN1_BIT_STRING) and
- * value in ASN.1 format
- * Note: function works backwards in data buffer
+ * \brief Write a bitstring tag (#MBEDTLS_ASN1_BIT_STRING) and
+ * value in ASN.1 format.
*
- * \param p reference to current position pointer
- * \param start start of the buffer (for bounds-checking)
- * \param buf the bitstring
- * \param bits the total number of bits in the bitstring
+ * \note This function works backwards in data buffer.
*
- * \return the length written or a negative error code
+ * \param p The reference to the current position pointer.
+ * \param start The start of the buffer, for bounds-checking.
+ * \param buf The bitstring to write.
+ * \param bits The total number of bits in the bitstring.
+ *
+ * \return The number of bytes written to \p p on success.
+ * \return A negative error code on failure.
*/
int mbedtls_asn1_write_bitstring( unsigned char **p, unsigned char *start,
const unsigned char *buf, size_t bits );
/**
- * \brief Write an octet string tag (MBEDTLS_ASN1_OCTET_STRING) and
- * value in ASN.1 format
- * Note: function works backwards in data buffer
+ * \brief Write an octet string tag (#MBEDTLS_ASN1_OCTET_STRING)
+ * and value in ASN.1 format.
+ *
+ * \note This function works backwards in data buffer.
*
* \param p reference to current position pointer
* \param start start of the buffer (for bounds-checking)
diff --git a/sdk/include/reactos/libs/mbedtls/base64.h
b/sdk/include/reactos/libs/mbedtls/base64.h
index ce5563e1d4..478a3d6f24 100644
--- a/sdk/include/reactos/libs/mbedtls/base64.h
+++ b/sdk/include/reactos/libs/mbedtls/base64.h
@@ -26,6 +26,12 @@
#ifndef MBEDTLS_BASE64_H
#define MBEDTLS_BASE64_H
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
#include <stddef.h>
#define MBEDTLS_ERR_BASE64_BUFFER_TOO_SMALL -0x002A /**< Output buffer
too small. */
diff --git a/sdk/include/reactos/libs/mbedtls/bn_mul.h
b/sdk/include/reactos/libs/mbedtls/bn_mul.h
index 34ff50fb07..b5bbd71dc3 100644
--- a/sdk/include/reactos/libs/mbedtls/bn_mul.h
+++ b/sdk/include/reactos/libs/mbedtls/bn_mul.h
@@ -40,6 +40,12 @@
#ifndef MBEDTLS_BN_MUL_H
#define MBEDTLS_BN_MUL_H
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
#include "bignum.h"
#if defined(MBEDTLS_HAVE_ASM)
@@ -736,7 +742,7 @@
"sw $10, %2 \n\t" \
: "=m" (c), "=m" (d), "=m" (s)
\
: "m" (s), "m" (d), "m" (c), "m" (b)
\
- : "$9", "$10", "$11", "$12",
"$13", "$14", "$15" \
+ : "$9", "$10", "$11", "$12",
"$13", "$14", "$15", "lo", "hi" \
);
#endif /* MIPS */
diff --git a/sdk/include/reactos/libs/mbedtls/ccm.h
b/sdk/include/reactos/libs/mbedtls/ccm.h
index 435009a7a1..f826b4491e 100644
--- a/sdk/include/reactos/libs/mbedtls/ccm.h
+++ b/sdk/include/reactos/libs/mbedtls/ccm.h
@@ -36,6 +36,12 @@
#ifndef MBEDTLS_CCM_H
#define MBEDTLS_CCM_H
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
#include "cipher.h"
#define MBEDTLS_ERR_CCM_BAD_INPUT -0x000D /**< Bad input parameters to the
function. */
diff --git a/sdk/include/reactos/libs/mbedtls/certs.h
b/sdk/include/reactos/libs/mbedtls/certs.h
index ae0f84a307..31a6e86bba 100644
--- a/sdk/include/reactos/libs/mbedtls/certs.h
+++ b/sdk/include/reactos/libs/mbedtls/certs.h
@@ -26,6 +26,12 @@
#ifndef MBEDTLS_CERTS_H
#define MBEDTLS_CERTS_H
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
#include <stddef.h>
#ifdef __cplusplus
diff --git a/sdk/include/reactos/libs/mbedtls/cmac.h
b/sdk/include/reactos/libs/mbedtls/cmac.h
index 7ab0c1056b..e0c23cb55e 100644
--- a/sdk/include/reactos/libs/mbedtls/cmac.h
+++ b/sdk/include/reactos/libs/mbedtls/cmac.h
@@ -28,6 +28,12 @@
#ifndef MBEDTLS_CMAC_H
#define MBEDTLS_CMAC_H
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
#include "cipher.h"
#ifdef __cplusplus
diff --git a/sdk/include/reactos/libs/mbedtls/compat-1.3.h
b/sdk/include/reactos/libs/mbedtls/compat-1.3.h
index 21ded5db82..45647b0393 100644
--- a/sdk/include/reactos/libs/mbedtls/compat-1.3.h
+++ b/sdk/include/reactos/libs/mbedtls/compat-1.3.h
@@ -27,6 +27,12 @@
* This file is part of mbed TLS (https://tls.mbed.org)
*/
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
#if ! defined(MBEDTLS_DEPRECATED_REMOVED)
#if defined(MBEDTLS_DEPRECATED_WARNING)
diff --git a/sdk/include/reactos/libs/mbedtls/config.h
b/sdk/include/reactos/libs/mbedtls/config.h
index 912b5564c5..4e78b52b6d 100644
--- a/sdk/include/reactos/libs/mbedtls/config.h
+++ b/sdk/include/reactos/libs/mbedtls/config.h
@@ -558,6 +558,26 @@
*/
#define MBEDTLS_REMOVE_ARC4_CIPHERSUITES
+/**
+ * \def MBEDTLS_REMOVE_3DES_CIPHERSUITES
+ *
+ * Remove 3DES ciphersuites by default in SSL / TLS.
+ * This flag removes the ciphersuites based on 3DES from the default list as
+ * returned by mbedtls_ssl_list_ciphersuites(). However, it is still possible
+ * to enable (some of) them with mbedtls_ssl_conf_ciphersuites() by including
+ * them explicitly.
+ *
+ * A man-in-the-browser attacker can recover authentication tokens sent through
+ * a TLS connection using a 3DES based cipher suite (see "On the Practical
+ * (In-)Security of 64-bit Block Ciphers" by Karthikeyan Bhargavan and Gaëtan
+ * Leurent, see https://sweet32.info/SWEET32_CCS16.pdf). If this attack falls
+ * in your threat model or you are unsure, then you should keep this option
+ * enabled to remove 3DES based cipher suites.
+ *
+ * Comment this macro to keep 3DES in the default ciphersuite list.
+ */
+#define MBEDTLS_REMOVE_3DES_CIPHERSUITES
+
/**
* \def MBEDTLS_ECP_DP_SECP192R1_ENABLED
*
diff --git a/sdk/include/reactos/libs/mbedtls/ctr_drbg.h
b/sdk/include/reactos/libs/mbedtls/ctr_drbg.h
index dedce771a9..eec3f7c888 100644
--- a/sdk/include/reactos/libs/mbedtls/ctr_drbg.h
+++ b/sdk/include/reactos/libs/mbedtls/ctr_drbg.h
@@ -30,6 +30,12 @@
#ifndef MBEDTLS_CTR_DRBG_H
#define MBEDTLS_CTR_DRBG_H
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
#include "aes.h"
#if defined(MBEDTLS_THREADING_C)
diff --git a/sdk/include/reactos/libs/mbedtls/ecdh.h
b/sdk/include/reactos/libs/mbedtls/ecdh.h
index d5bc59f5a4..6cfa7119cb 100644
--- a/sdk/include/reactos/libs/mbedtls/ecdh.h
+++ b/sdk/include/reactos/libs/mbedtls/ecdh.h
@@ -35,6 +35,12 @@
#ifndef MBEDTLS_ECDH_H
#define MBEDTLS_ECDH_H
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
#include "ecp.h"
#ifdef __cplusplus
diff --git a/sdk/include/reactos/libs/mbedtls/ecdsa.h
b/sdk/include/reactos/libs/mbedtls/ecdsa.h
index 68b4931f44..9659bc07f2 100644
--- a/sdk/include/reactos/libs/mbedtls/ecdsa.h
+++ b/sdk/include/reactos/libs/mbedtls/ecdsa.h
@@ -33,6 +33,12 @@
#ifndef MBEDTLS_ECDSA_H
#define MBEDTLS_ECDSA_H
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
#include "ecp.h"
#include "md.h"
diff --git a/sdk/include/reactos/libs/mbedtls/ecjpake.h
b/sdk/include/reactos/libs/mbedtls/ecjpake.h
index 2107f31a62..fca0477422 100644
--- a/sdk/include/reactos/libs/mbedtls/ecjpake.h
+++ b/sdk/include/reactos/libs/mbedtls/ecjpake.h
@@ -42,6 +42,11 @@
* The payloads are serialized in a way suitable for use in TLS, but could
* also be use outside TLS.
*/
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
#include "ecp.h"
#include "md.h"
diff --git a/sdk/include/reactos/libs/mbedtls/ecp.h
b/sdk/include/reactos/libs/mbedtls/ecp.h
index 2d0ddcf75c..adac0b2dc0 100644
--- a/sdk/include/reactos/libs/mbedtls/ecp.h
+++ b/sdk/include/reactos/libs/mbedtls/ecp.h
@@ -26,6 +26,12 @@
#ifndef MBEDTLS_ECP_H
#define MBEDTLS_ECP_H
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
#include "bignum.h"
/*
diff --git a/sdk/include/reactos/libs/mbedtls/ecp_internal.h
b/sdk/include/reactos/libs/mbedtls/ecp_internal.h
index 73bccd4269..70afecdf10 100644
--- a/sdk/include/reactos/libs/mbedtls/ecp_internal.h
+++ b/sdk/include/reactos/libs/mbedtls/ecp_internal.h
@@ -63,6 +63,12 @@
#ifndef MBEDTLS_ECP_INTERNAL_H
#define MBEDTLS_ECP_INTERNAL_H
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
#if defined(MBEDTLS_ECP_INTERNAL_ALT)
/**
diff --git a/sdk/include/reactos/libs/mbedtls/error.h
b/sdk/include/reactos/libs/mbedtls/error.h
index cb0548ba78..363675709d 100644
--- a/sdk/include/reactos/libs/mbedtls/error.h
+++ b/sdk/include/reactos/libs/mbedtls/error.h
@@ -26,6 +26,12 @@
#ifndef MBEDTLS_ERROR_H
#define MBEDTLS_ERROR_H
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
#include <stddef.h>
/**
diff --git a/sdk/include/reactos/libs/mbedtls/gcm.h
b/sdk/include/reactos/libs/mbedtls/gcm.h
index 081c1f1a68..5778d3fbb9 100644
--- a/sdk/include/reactos/libs/mbedtls/gcm.h
+++ b/sdk/include/reactos/libs/mbedtls/gcm.h
@@ -33,6 +33,12 @@
#ifndef MBEDTLS_GCM_H
#define MBEDTLS_GCM_H
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
#include "cipher.h"
#include <stdint.h>
diff --git a/sdk/include/reactos/libs/mbedtls/havege.h
b/sdk/include/reactos/libs/mbedtls/havege.h
index 34229e6265..37ccfe3568 100644
--- a/sdk/include/reactos/libs/mbedtls/havege.h
+++ b/sdk/include/reactos/libs/mbedtls/havege.h
@@ -26,6 +26,12 @@
#ifndef MBEDTLS_HAVEGE_H
#define MBEDTLS_HAVEGE_H
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
#include <stddef.h>
#define MBEDTLS_HAVEGE_COLLECT_SIZE 1024
diff --git a/sdk/include/reactos/libs/mbedtls/hmac_drbg.h
b/sdk/include/reactos/libs/mbedtls/hmac_drbg.h
index 91b1dbda9e..71f6c35812 100644
--- a/sdk/include/reactos/libs/mbedtls/hmac_drbg.h
+++ b/sdk/include/reactos/libs/mbedtls/hmac_drbg.h
@@ -26,6 +26,12 @@
#ifndef MBEDTLS_HMAC_DRBG_H
#define MBEDTLS_HMAC_DRBG_H
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
#include "md.h"
#if defined(MBEDTLS_THREADING_C)
diff --git a/sdk/include/reactos/libs/mbedtls/net.h
b/sdk/include/reactos/libs/mbedtls/net.h
index 84d2955dc3..c18671259c 100644
--- a/sdk/include/reactos/libs/mbedtls/net.h
+++ b/sdk/include/reactos/libs/mbedtls/net.h
@@ -25,6 +25,11 @@
*
* This file is part of mbed TLS (https://tls.mbed.org)
*/
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
#if !defined(MBEDTLS_DEPRECATED_REMOVED)
#include "net_sockets.h"
diff --git a/sdk/include/reactos/libs/mbedtls/padlock.h
b/sdk/include/reactos/libs/mbedtls/padlock.h
index 705a812cb9..9333119aae 100644
--- a/sdk/include/reactos/libs/mbedtls/padlock.h
+++ b/sdk/include/reactos/libs/mbedtls/padlock.h
@@ -27,6 +27,12 @@
#ifndef MBEDTLS_PADLOCK_H
#define MBEDTLS_PADLOCK_H
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
#include "aes.h"
#define MBEDTLS_ERR_PADLOCK_DATA_MISALIGNED -0x0030 /**< Input data
should be aligned. */
diff --git a/sdk/include/reactos/libs/mbedtls/pem.h
b/sdk/include/reactos/libs/mbedtls/pem.h
index 06a648371e..6e8443359a 100644
--- a/sdk/include/reactos/libs/mbedtls/pem.h
+++ b/sdk/include/reactos/libs/mbedtls/pem.h
@@ -26,6 +26,12 @@
#ifndef MBEDTLS_PEM_H
#define MBEDTLS_PEM_H
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
#include <stddef.h>
/**
diff --git a/sdk/include/reactos/libs/mbedtls/pkcs12.h
b/sdk/include/reactos/libs/mbedtls/pkcs12.h
index 1b6f449a0b..86b85125ae 100644
--- a/sdk/include/reactos/libs/mbedtls/pkcs12.h
+++ b/sdk/include/reactos/libs/mbedtls/pkcs12.h
@@ -26,6 +26,12 @@
#ifndef MBEDTLS_PKCS12_H
#define MBEDTLS_PKCS12_H
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
#include "md.h"
#include "cipher.h"
#include "asn1.h"
diff --git a/sdk/include/reactos/libs/mbedtls/pkcs5.h
b/sdk/include/reactos/libs/mbedtls/pkcs5.h
index ffd729fdac..c936c032ed 100644
--- a/sdk/include/reactos/libs/mbedtls/pkcs5.h
+++ b/sdk/include/reactos/libs/mbedtls/pkcs5.h
@@ -28,6 +28,12 @@
#ifndef MBEDTLS_PKCS5_H
#define MBEDTLS_PKCS5_H
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
#include "asn1.h"
#include "md.h"
diff --git a/sdk/include/reactos/libs/mbedtls/ssl_cache.h
b/sdk/include/reactos/libs/mbedtls/ssl_cache.h
index 3252075e07..0a9367c61c 100644
--- a/sdk/include/reactos/libs/mbedtls/ssl_cache.h
+++ b/sdk/include/reactos/libs/mbedtls/ssl_cache.h
@@ -26,6 +26,12 @@
#ifndef MBEDTLS_SSL_CACHE_H
#define MBEDTLS_SSL_CACHE_H
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
#include "ssl.h"
#if defined(MBEDTLS_THREADING_C)
diff --git a/sdk/include/reactos/libs/mbedtls/ssl_ciphersuites.h
b/sdk/include/reactos/libs/mbedtls/ssl_ciphersuites.h
index d7bc190ed1..05d8ebbce8 100644
--- a/sdk/include/reactos/libs/mbedtls/ssl_ciphersuites.h
+++ b/sdk/include/reactos/libs/mbedtls/ssl_ciphersuites.h
@@ -26,6 +26,12 @@
#ifndef MBEDTLS_SSL_CIPHERSUITES_H
#define MBEDTLS_SSL_CIPHERSUITES_H
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
#include "pk.h"
#include "cipher.h"
#include "md.h"
diff --git a/sdk/include/reactos/libs/mbedtls/ssl_cookie.h
b/sdk/include/reactos/libs/mbedtls/ssl_cookie.h
index edd9351678..9f846c3e2b 100644
--- a/sdk/include/reactos/libs/mbedtls/ssl_cookie.h
+++ b/sdk/include/reactos/libs/mbedtls/ssl_cookie.h
@@ -26,6 +26,12 @@
#ifndef MBEDTLS_SSL_COOKIE_H
#define MBEDTLS_SSL_COOKIE_H
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
#include "ssl.h"
#if defined(MBEDTLS_THREADING_C)
diff --git a/sdk/include/reactos/libs/mbedtls/ssl_internal.h
b/sdk/include/reactos/libs/mbedtls/ssl_internal.h
index 75611fd767..44a6caff67 100644
--- a/sdk/include/reactos/libs/mbedtls/ssl_internal.h
+++ b/sdk/include/reactos/libs/mbedtls/ssl_internal.h
@@ -26,6 +26,12 @@
#ifndef MBEDTLS_SSL_INTERNAL_H
#define MBEDTLS_SSL_INTERNAL_H
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
#include "ssl.h"
#include "cipher.h"
diff --git a/sdk/include/reactos/libs/mbedtls/ssl_ticket.h
b/sdk/include/reactos/libs/mbedtls/ssl_ticket.h
index c4ae9df484..ffdc49616d 100644
--- a/sdk/include/reactos/libs/mbedtls/ssl_ticket.h
+++ b/sdk/include/reactos/libs/mbedtls/ssl_ticket.h
@@ -26,6 +26,12 @@
#ifndef MBEDTLS_SSL_TICKET_H
#define MBEDTLS_SSL_TICKET_H
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
/*
* This implementation of the session ticket callbacks includes key
* management, rotating the keys periodically in order to preserve forward
diff --git a/sdk/include/reactos/libs/mbedtls/version.h
b/sdk/include/reactos/libs/mbedtls/version.h
index ea1568fbdb..b0d49d21c4 100644
--- a/sdk/include/reactos/libs/mbedtls/version.h
+++ b/sdk/include/reactos/libs/mbedtls/version.h
@@ -42,16 +42,16 @@
*/
#define MBEDTLS_VERSION_MAJOR 2
#define MBEDTLS_VERSION_MINOR 7
-#define MBEDTLS_VERSION_PATCH 9
+#define MBEDTLS_VERSION_PATCH 10
/**
* The single version number has the following structure:
* MMNNPP00
* Major version | Minor version | Patch version
*/
-#define MBEDTLS_VERSION_NUMBER 0x02070900
-#define MBEDTLS_VERSION_STRING "2.7.9"
-#define MBEDTLS_VERSION_STRING_FULL "mbed TLS 2.7.9"
+#define MBEDTLS_VERSION_NUMBER 0x02070A00
+#define MBEDTLS_VERSION_STRING "2.7.10"
+#define MBEDTLS_VERSION_STRING_FULL "mbed TLS 2.7.10"
#if defined(MBEDTLS_VERSION_C)
diff --git a/sdk/include/reactos/libs/mbedtls/x509_csr.h
b/sdk/include/reactos/libs/mbedtls/x509_csr.h
index 82a24c548d..9acbe243a0 100644
--- a/sdk/include/reactos/libs/mbedtls/x509_csr.h
+++ b/sdk/include/reactos/libs/mbedtls/x509_csr.h
@@ -207,6 +207,14 @@ void mbedtls_x509write_csr_set_md_alg( mbedtls_x509write_csr *ctx,
mbedtls_md_ty
* \param key_usage key usage flags to set
*
* \return 0 if successful, or MBEDTLS_ERR_X509_ALLOC_FAILED
+ *
+ * \note The <code>decipherOnly</code> flag from the Key Usage
+ * extension is represented by bit 8 (i.e.
+ * <code>0x8000</code>), which cannot typically be
represented
+ * in an unsigned char. Therefore, the flag
+ * <code>decipherOnly</code> (i.e.
+ * #MBEDTLS_X509_KU_DECIPHER_ONLY) cannot be set using this
+ * function.
*/
int mbedtls_x509write_csr_set_key_usage( mbedtls_x509write_csr *ctx, unsigned char
key_usage );