From 4b68bbe18ce971f830c37d76aecede1d2cd412df Mon Sep 17 00:00:00 2001 From: Amine Khaldi Date: Sun, 21 Feb 2016 10:56:57 +0000 Subject: [PATCH] [MBEDTLS] Sync to v2.2.1. By Ismael Ferreras Morezuelas. CORE-10817 svn path=/trunk/; revision=70765 --- reactos/dll/3rdparty/mbedtls/asn1write.c | 21 +- reactos/dll/3rdparty/mbedtls/bignum.c | 188 +++++++++++----- reactos/dll/3rdparty/mbedtls/error.c | 2 + reactos/dll/3rdparty/mbedtls/gcm.c | 2 +- reactos/dll/3rdparty/mbedtls/rsa.c | 8 +- reactos/dll/3rdparty/mbedtls/ssl_cli.c | 6 +- reactos/dll/3rdparty/mbedtls/ssl_srv.c | 4 +- reactos/dll/3rdparty/mbedtls/ssl_tls.c | 205 +++++++++++------- reactos/dll/3rdparty/mbedtls/x509_crt.c | 10 - reactos/include/reactos/libs/mbedtls/bignum.h | 1 + .../include/reactos/libs/mbedtls/compat-1.3.h | 5 +- reactos/include/reactos/libs/mbedtls/config.h | 52 ++--- .../include/reactos/libs/mbedtls/ecjpake.h | 2 +- reactos/include/reactos/libs/mbedtls/error.h | 2 +- reactos/include/reactos/libs/mbedtls/md.h | 2 +- reactos/include/reactos/libs/mbedtls/md2.h | 2 +- reactos/include/reactos/libs/mbedtls/md4.h | 2 +- reactos/include/reactos/libs/mbedtls/md5.h | 2 +- .../include/reactos/libs/mbedtls/ripemd160.h | 2 +- reactos/include/reactos/libs/mbedtls/sha1.h | 2 +- reactos/include/reactos/libs/mbedtls/sha256.h | 2 +- reactos/include/reactos/libs/mbedtls/sha512.h | 2 +- reactos/include/reactos/libs/mbedtls/ssl.h | 45 +++- .../include/reactos/libs/mbedtls/version.h | 8 +- .../include/reactos/libs/mbedtls/x509_crl.h | 3 +- .../include/reactos/libs/mbedtls/x509_crt.h | 2 +- .../include/reactos/libs/mbedtls/x509_csr.h | 2 +- reactos/media/doc/3rd Party Files.txt | 2 +- 28 files changed, 369 insertions(+), 217 deletions(-) diff --git a/reactos/dll/3rdparty/mbedtls/asn1write.c b/reactos/dll/3rdparty/mbedtls/asn1write.c index 456660d8b73..00ed73c1141 100644 --- a/reactos/dll/3rdparty/mbedtls/asn1write.c +++ b/reactos/dll/3rdparty/mbedtls/asn1write.c @@ -339,19 +339,18 @@ mbedtls_asn1_named_data *mbedtls_asn1_store_named_data( mbedtls_asn1_named_data } else if( cur->val.len < val_len ) { - // Enlarge existing value buffer if needed - // - mbedtls_free( cur->val.p ); - cur->val.p = NULL; + /* + * Enlarge existing value buffer if needed + * Preserve old data until the allocation succeeded, to leave list in + * a consistent state in case allocation fails. + */ + void *p = mbedtls_calloc( 1, val_len ); + if( p == NULL ) + return( NULL ); + mbedtls_free( cur->val.p ); + cur->val.p = p; cur->val.len = val_len; - cur->val.p = mbedtls_calloc( 1, val_len ); - if( cur->val.p == NULL ) - { - mbedtls_free( cur->oid.p ); - mbedtls_free( cur ); - return( NULL ); - } } if( val != NULL ) diff --git a/reactos/dll/3rdparty/mbedtls/bignum.c b/reactos/dll/3rdparty/mbedtls/bignum.c index 58a4cd2de51..0e587f15ed9 100644 --- a/reactos/dll/3rdparty/mbedtls/bignum.c +++ b/reactos/dll/3rdparty/mbedtls/bignum.c @@ -18,12 +18,21 @@ * * This file is part of mbed TLS (https://tls.mbed.org) */ + /* - * This MPI implementation is based on: + * The following sources were referenced in the design of this Multi-precision + * Integer library: + * + * [1] Handbook of Applied Cryptography - 1997 + * Menezes, van Oorschot and Vanstone + * + * [2] Multi-Precision Math + * Tom St Denis + * https://github.com/libtom/libtommath/blob/develop/tommath.pdf + * + * [3] GNU Multi-Precision Arithmetic Library + * https://gmplib.org/manual/index.html * - * http://www.cacr.math.uwaterloo.ca/hac/about/chap14.pdf - * http://www.stillhq.com/extracted/gnupg-api/mpi/ - * http://math.libtomcrypt.com/files/tommath.pdf */ #if !defined(MBEDTLS_CONFIG_FILE) @@ -347,6 +356,24 @@ size_t mbedtls_mpi_lsb( const mbedtls_mpi *X ) return( 0 ); } +/* + * Count leading zero bits in a given integer + */ +static size_t mbedtls_clz( const mbedtls_mpi_uint x ) +{ + size_t j; + mbedtls_mpi_uint mask = (mbedtls_mpi_uint) 1 << (biL - 1); + + for( j = 0; j < biL; j++ ) + { + if( x & mask ) break; + + mask >>= 1; + } + + return j; +} + /* * Return the number of bits */ @@ -361,9 +388,7 @@ size_t mbedtls_mpi_bitlen( const mbedtls_mpi *X ) if( X->p[i] != 0 ) break; - for( j = biL; j > 0; j-- ) - if( ( ( X->p[i] >> ( j - 1 ) ) & 1 ) != 0 ) - break; + j = biL - mbedtls_clz( X->p[i] ); return( ( i * biL ) + j ); } @@ -1186,6 +1211,102 @@ int mbedtls_mpi_mul_int( mbedtls_mpi *X, const mbedtls_mpi *A, mbedtls_mpi_uint return( mbedtls_mpi_mul_mpi( X, A, &_B ) ); } +/* + * Unsigned integer divide - double mbedtls_mpi_uint dividend, u1/u0, and + * mbedtls_mpi_uint divisor, d + */ +static mbedtls_mpi_uint mbedtls_int_div_int( mbedtls_mpi_uint u1, + mbedtls_mpi_uint u0, mbedtls_mpi_uint d, mbedtls_mpi_uint *r ) +{ +#if defined(MBEDTLS_HAVE_UDBL) + mbedtls_t_udbl dividend, quotient; +#else + const mbedtls_mpi_uint radix = (mbedtls_mpi_uint) 1 << biH; + const mbedtls_mpi_uint uint_halfword_mask = ( (mbedtls_mpi_uint) 1 << biH ) - 1; + mbedtls_mpi_uint d0, d1, q0, q1, rAX, r0, quotient; + mbedtls_mpi_uint u0_msw, u0_lsw; + size_t s; +#endif + + /* + * Check for overflow + */ + if( 0 == d || u1 >= d ) + { + if (r != NULL) *r = ~0; + + return ( ~0 ); + } + +#if defined(MBEDTLS_HAVE_UDBL) + dividend = (mbedtls_t_udbl) u1 << biL; + dividend |= (mbedtls_t_udbl) u0; + quotient = dividend / d; + if( quotient > ( (mbedtls_t_udbl) 1 << biL ) - 1 ) + quotient = ( (mbedtls_t_udbl) 1 << biL ) - 1; + + if( r != NULL ) + *r = (mbedtls_mpi_uint)( dividend - (quotient * d ) ); + + return (mbedtls_mpi_uint) quotient; +#else + + /* + * Algorithm D, Section 4.3.1 - The Art of Computer Programming + * Vol. 2 - Seminumerical Algorithms, Knuth + */ + + /* + * Normalize the divisor, d, and dividend, u0, u1 + */ + s = mbedtls_clz( d ); + d = d << s; + + u1 = u1 << s; + u1 |= ( u0 >> ( biL - s ) ) & ( -(mbedtls_mpi_sint)s >> ( biL - 1 ) ); + u0 = u0 << s; + + d1 = d >> biH; + d0 = d & uint_halfword_mask; + + u0_msw = u0 >> biH; + u0_lsw = u0 & uint_halfword_mask; + + /* + * Find the first quotient and remainder + */ + q1 = u1 / d1; + r0 = u1 - d1 * q1; + + while( q1 >= radix || ( q1 * d0 > radix * r0 + u0_msw ) ) + { + q1 -= 1; + r0 += d1; + + if ( r0 >= radix ) break; + } + + rAX = ( u1 * radix ) + ( u0_msw - q1 * d ); + q0 = rAX / d1; + r0 = rAX - q0 * d1; + + while( q0 >= radix || ( q0 * d0 > radix * r0 + u0_lsw ) ) + { + q0 -= 1; + r0 += d1; + + if ( r0 >= radix ) break; + } + + if (r != NULL) + *r = ( rAX * radix + u0_lsw - q0 * d ) >> s; + + quotient = q1 * radix + q0; + + return quotient; +#endif +} + /* * Division by mbedtls_mpi: A = Q * B + R (HAC 14.20) */ @@ -1243,57 +1364,8 @@ int mbedtls_mpi_div_mpi( mbedtls_mpi *Q, mbedtls_mpi *R, const mbedtls_mpi *A, c Z.p[i - t - 1] = ~0; else { -#if defined(MBEDTLS_HAVE_UDBL) - mbedtls_t_udbl r; - - r = (mbedtls_t_udbl) X.p[i] << biL; - r |= (mbedtls_t_udbl) X.p[i - 1]; - r /= Y.p[t]; - if( r > ( (mbedtls_t_udbl) 1 << biL ) - 1 ) - r = ( (mbedtls_t_udbl) 1 << biL ) - 1; - - Z.p[i - t - 1] = (mbedtls_mpi_uint) r; -#else - /* - * __udiv_qrnnd_c, from gmp/longlong.h - */ - mbedtls_mpi_uint q0, q1, r0, r1; - mbedtls_mpi_uint d0, d1, d, m; - - d = Y.p[t]; - d0 = ( d << biH ) >> biH; - d1 = ( d >> biH ); - - q1 = X.p[i] / d1; - r1 = X.p[i] - d1 * q1; - r1 <<= biH; - r1 |= ( X.p[i - 1] >> biH ); - - m = q1 * d0; - if( r1 < m ) - { - q1--, r1 += d; - while( r1 >= d && r1 < m ) - q1--, r1 += d; - } - r1 -= m; - - q0 = r1 / d1; - r0 = r1 - d1 * q0; - r0 <<= biH; - r0 |= ( X.p[i - 1] << biH ) >> biH; - - m = q0 * d0; - if( r0 < m ) - { - q0--, r0 += d; - while( r0 >= d && r0 < m ) - q0--, r0 += d; - } - r0 -= m; - - Z.p[i - t - 1] = ( q1 << biH ) | q0; -#endif /* MBEDTLS_HAVE_UDBL && !64-bit Apple with Clang 5.0 */ + Z.p[i - t - 1] = mbedtls_int_div_int( X.p[i], X.p[i - 1], + Y.p[t], NULL); } Z.p[i - t - 1]++; diff --git a/reactos/dll/3rdparty/mbedtls/error.c b/reactos/dll/3rdparty/mbedtls/error.c index a1cf83aed44..debda1d7867 100644 --- a/reactos/dll/3rdparty/mbedtls/error.c +++ b/reactos/dll/3rdparty/mbedtls/error.c @@ -430,6 +430,8 @@ void mbedtls_strerror( int ret, char *buf, size_t buflen ) mbedtls_snprintf( buf, buflen, "SSL - The operation timed out" ); if( use_ret == -(MBEDTLS_ERR_SSL_CLIENT_RECONNECT) ) mbedtls_snprintf( buf, buflen, "SSL - The client initiated a reconnect from the same port" ); + if( use_ret == -(MBEDTLS_ERR_SSL_UNEXPECTED_RECORD) ) + mbedtls_snprintf( buf, buflen, "SSL - Record header looks valid but is not expected" ); #endif /* MBEDTLS_SSL_TLS_C */ #if defined(MBEDTLS_X509_USE_C) || defined(MBEDTLS_X509_CREATE_C) diff --git a/reactos/dll/3rdparty/mbedtls/gcm.c b/reactos/dll/3rdparty/mbedtls/gcm.c index 4298254d2be..aaacf97d612 100644 --- a/reactos/dll/3rdparty/mbedtls/gcm.c +++ b/reactos/dll/3rdparty/mbedtls/gcm.c @@ -362,7 +362,7 @@ int mbedtls_gcm_update( mbedtls_gcm_context *ctx, /* Total length is restricted to 2^39 - 256 bits, ie 2^36 - 2^5 bytes * Also check for possible overflow */ if( ctx->len + length < ctx->len || - (uint64_t) ctx->len + length > 0x03FFFFE0ull ) + (uint64_t) ctx->len + length > 0xFFFFFFFE0ull ) { return( MBEDTLS_ERR_GCM_BAD_INPUT ); } diff --git a/reactos/dll/3rdparty/mbedtls/rsa.c b/reactos/dll/3rdparty/mbedtls/rsa.c index 1f907b7645b..efdd055c410 100644 --- a/reactos/dll/3rdparty/mbedtls/rsa.c +++ b/reactos/dll/3rdparty/mbedtls/rsa.c @@ -1086,9 +1086,15 @@ int mbedtls_rsa_rsassa_pkcs1_v15_sign( mbedtls_rsa_context *ctx, * temporary buffer and check it before returning it. */ sig_try = mbedtls_calloc( 1, ctx->len ); + if( sig_try == NULL ) + return( MBEDTLS_ERR_MPI_ALLOC_FAILED ); + verif = mbedtls_calloc( 1, ctx->len ); - if( sig_try == NULL || verif == NULL ) + if( verif == NULL ) + { + mbedtls_free( sig_try ); return( MBEDTLS_ERR_MPI_ALLOC_FAILED ); + } MBEDTLS_MPI_CHK( mbedtls_rsa_private( ctx, f_rng, p_rng, sig, sig_try ) ); MBEDTLS_MPI_CHK( mbedtls_rsa_public( ctx, sig_try, verif ) ); diff --git a/reactos/dll/3rdparty/mbedtls/ssl_cli.c b/reactos/dll/3rdparty/mbedtls/ssl_cli.c index 9663fae4a5e..4452169d980 100644 --- a/reactos/dll/3rdparty/mbedtls/ssl_cli.c +++ b/reactos/dll/3rdparty/mbedtls/ssl_cli.c @@ -2096,7 +2096,7 @@ static int ssl_parse_signature_algorithm( mbedtls_ssl_context *ssl, */ if( ( *md_alg = mbedtls_ssl_md_alg_from_hash( (*p)[0] ) ) == MBEDTLS_MD_NONE ) { - MBEDTLS_SSL_DEBUG_MSG( 2, ( "Server used unsupported " + MBEDTLS_SSL_DEBUG_MSG( 1, ( "Server used unsupported " "HashAlgorithm %d", *(p)[0] ) ); return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); } @@ -2106,7 +2106,7 @@ static int ssl_parse_signature_algorithm( mbedtls_ssl_context *ssl, */ if( ( *pk_alg = mbedtls_ssl_pk_alg_from_sig( (*p)[1] ) ) == MBEDTLS_PK_NONE ) { - MBEDTLS_SSL_DEBUG_MSG( 2, ( "server used unsupported " + MBEDTLS_SSL_DEBUG_MSG( 1, ( "server used unsupported " "SignatureAlgorithm %d", (*p)[1] ) ); return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); } @@ -2116,7 +2116,7 @@ static int ssl_parse_signature_algorithm( mbedtls_ssl_context *ssl, */ if( mbedtls_ssl_check_sig_hash( ssl, *md_alg ) != 0 ) { - MBEDTLS_SSL_DEBUG_MSG( 2, ( "server used HashAlgorithm " + MBEDTLS_SSL_DEBUG_MSG( 1, ( "server used HashAlgorithm " "that was not offered" ) ); return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); } diff --git a/reactos/dll/3rdparty/mbedtls/ssl_srv.c b/reactos/dll/3rdparty/mbedtls/ssl_srv.c index 9afd399895c..6b5b461e17f 100644 --- a/reactos/dll/3rdparty/mbedtls/ssl_srv.c +++ b/reactos/dll/3rdparty/mbedtls/ssl_srv.c @@ -2584,7 +2584,9 @@ static int ssl_write_certificate_request( mbedtls_ssl_context *ssl ) { dn_size = crt->subject_raw.len; - if( end < p || (size_t)( end - p ) < 2 + dn_size ) + if( end < p || + (size_t)( end - p ) < dn_size || + (size_t)( end - p ) < 2 + dn_size ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "skipping CAs: buffer too short" ) ); break; diff --git a/reactos/dll/3rdparty/mbedtls/ssl_tls.c b/reactos/dll/3rdparty/mbedtls/ssl_tls.c index c18a3b4d80f..4424f56776b 100644 --- a/reactos/dll/3rdparty/mbedtls/ssl_tls.c +++ b/reactos/dll/3rdparty/mbedtls/ssl_tls.c @@ -3465,6 +3465,18 @@ static int ssl_handle_possible_reconnect( mbedtls_ssl_context *ssl ) * uint16 epoch; // DTLS only * uint48 sequence_number; // DTLS only * uint16 length; + * + * Return 0 if header looks sane (and, for DTLS, the record is expected) + * MBEDTLS_ERR_SSL_INVALID_RECORD if the header looks bad, + * MBEDTLS_ERR_SSL_UNEXPECTED_RECORD (DTLS only) if sane but unexpected. + * + * With DTLS, mbedtls_ssl_read_record() will: + * 1. proceed with the record if this function returns 0 + * 2. drop only the current record if this function returns UNEXPECTED_RECORD + * 3. return CLIENT_RECONNECT if this function return that value + * 4. drop the whole datagram if this function returns anything else. + * Point 2 is needed when the peer is resending, and we have already received + * the first record from a datagram but are still waiting for the others. */ static int ssl_parse_record_header( mbedtls_ssl_context *ssl ) { @@ -3500,16 +3512,86 @@ static int ssl_parse_record_header( mbedtls_ssl_context *ssl ) return( MBEDTLS_ERR_SSL_INVALID_RECORD ); } + /* Check version */ + if( major_ver != ssl->major_ver ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "major version mismatch" ) ); + return( MBEDTLS_ERR_SSL_INVALID_RECORD ); + } + + if( minor_ver > ssl->conf->max_minor_ver ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "minor version mismatch" ) ); + return( MBEDTLS_ERR_SSL_INVALID_RECORD ); + } + + /* Check length against the size of our buffer */ + if( ssl->in_msglen > MBEDTLS_SSL_BUFFER_LEN + - (size_t)( ssl->in_msg - ssl->in_buf ) ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) ); + return( MBEDTLS_ERR_SSL_INVALID_RECORD ); + } + + /* Check length against bounds of the current transform and version */ + if( ssl->transform_in == NULL ) + { + if( ssl->in_msglen < 1 || + ssl->in_msglen > MBEDTLS_SSL_MAX_CONTENT_LEN ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) ); + return( MBEDTLS_ERR_SSL_INVALID_RECORD ); + } + } + else + { + if( ssl->in_msglen < ssl->transform_in->minlen ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) ); + return( MBEDTLS_ERR_SSL_INVALID_RECORD ); + } + +#if defined(MBEDTLS_SSL_PROTO_SSL3) + if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 && + ssl->in_msglen > ssl->transform_in->minlen + MBEDTLS_SSL_MAX_CONTENT_LEN ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) ); + return( MBEDTLS_ERR_SSL_INVALID_RECORD ); + } +#endif +#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \ + defined(MBEDTLS_SSL_PROTO_TLS1_2) + /* + * TLS encrypted messages can have up to 256 bytes of padding + */ + if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_1 && + ssl->in_msglen > ssl->transform_in->minlen + + MBEDTLS_SSL_MAX_CONTENT_LEN + 256 ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) ); + return( MBEDTLS_ERR_SSL_INVALID_RECORD ); + } +#endif + } + + /* + * DTLS-related tests done last, because most of them may result in + * silently dropping the record (but not the whole datagram), and we only + * want to consider that after ensuring that the "basic" fields (type, + * version, length) are sane. + */ #if defined(MBEDTLS_SSL_PROTO_DTLS) if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) { + unsigned int rec_epoch = ( ssl->in_ctr[0] << 8 ) | ssl->in_ctr[1]; + /* Drop unexpected ChangeCipherSpec messages */ if( ssl->in_msgtype == MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC && ssl->state != MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC && ssl->state != MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "dropping unexpected ChangeCipherSpec" ) ); - return( MBEDTLS_ERR_SSL_INVALID_RECORD ); + return( MBEDTLS_ERR_SSL_UNEXPECTED_RECORD ); } /* Drop unexpected ApplicationData records, @@ -3523,30 +3605,10 @@ static int ssl_parse_record_header( mbedtls_ssl_context *ssl ) ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "dropping unexpected ApplicationData" ) ); - return( MBEDTLS_ERR_SSL_INVALID_RECORD ); + return( MBEDTLS_ERR_SSL_UNEXPECTED_RECORD ); } - } -#endif - - /* Check version */ - if( major_ver != ssl->major_ver ) - { - MBEDTLS_SSL_DEBUG_MSG( 1, ( "major version mismatch" ) ); - return( MBEDTLS_ERR_SSL_INVALID_RECORD ); - } - - if( minor_ver > ssl->conf->max_minor_ver ) - { - MBEDTLS_SSL_DEBUG_MSG( 1, ( "minor version mismatch" ) ); - return( MBEDTLS_ERR_SSL_INVALID_RECORD ); - } - - /* Check epoch (and sequence number) with DTLS */ -#if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) - { - unsigned int rec_epoch = ( ssl->in_ctr[0] << 8 ) | ssl->in_ctr[1]; + /* Check epoch (and sequence number) with DTLS */ if( rec_epoch != ssl->in_epoch ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "record from another epoch: " @@ -3573,7 +3635,7 @@ static int ssl_parse_record_header( mbedtls_ssl_context *ssl ) } else #endif /* MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE && MBEDTLS_SSL_SRV_C */ - return( MBEDTLS_ERR_SSL_INVALID_RECORD ); + return( MBEDTLS_ERR_SSL_UNEXPECTED_RECORD ); } #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) @@ -3582,61 +3644,12 @@ static int ssl_parse_record_header( mbedtls_ssl_context *ssl ) mbedtls_ssl_dtls_replay_check( ssl ) != 0 ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "replayed record" ) ); - return( MBEDTLS_ERR_SSL_INVALID_RECORD ); + return( MBEDTLS_ERR_SSL_UNEXPECTED_RECORD ); } #endif } #endif /* MBEDTLS_SSL_PROTO_DTLS */ - /* Check length against the size of our buffer */ - if( ssl->in_msglen > MBEDTLS_SSL_BUFFER_LEN - - (size_t)( ssl->in_msg - ssl->in_buf ) ) - { - MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) ); - return( MBEDTLS_ERR_SSL_INVALID_RECORD ); - } - - /* Check length against bounds of the current transform and version */ - if( ssl->transform_in == NULL ) - { - if( ssl->in_msglen < 1 || - ssl->in_msglen > MBEDTLS_SSL_MAX_CONTENT_LEN ) - { - MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) ); - return( MBEDTLS_ERR_SSL_INVALID_RECORD ); - } - } - else - { - if( ssl->in_msglen < ssl->transform_in->minlen ) - { - MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) ); - return( MBEDTLS_ERR_SSL_INVALID_RECORD ); - } - -#if defined(MBEDTLS_SSL_PROTO_SSL3) - if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 && - ssl->in_msglen > ssl->transform_in->minlen + MBEDTLS_SSL_MAX_CONTENT_LEN ) - { - MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) ); - return( MBEDTLS_ERR_SSL_INVALID_RECORD ); - } -#endif -#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \ - defined(MBEDTLS_SSL_PROTO_TLS1_2) - /* - * TLS encrypted messages can have up to 256 bytes of padding - */ - if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_1 && - ssl->in_msglen > ssl->transform_in->minlen + - MBEDTLS_SSL_MAX_CONTENT_LEN + 256 ) - { - MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) ); - return( MBEDTLS_ERR_SSL_INVALID_RECORD ); - } -#endif - } - return( 0 ); } @@ -3762,13 +3775,26 @@ read_record_header: if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && ret != MBEDTLS_ERR_SSL_CLIENT_RECONNECT ) { - /* Ignore bad record and get next one; drop the whole datagram - * since current header cannot be trusted to find the next record - * in current datagram */ - ssl->next_record_offset = 0; - ssl->in_left = 0; + if( ret == MBEDTLS_ERR_SSL_UNEXPECTED_RECORD ) + { + /* Skip unexpected record (but not whole datagram) */ + ssl->next_record_offset = ssl->in_msglen + + mbedtls_ssl_hdr_len( ssl ); + + MBEDTLS_SSL_DEBUG_MSG( 1, ( "discarding unexpected record " + "(header)" ) ); + } + else + { + /* Skip invalid record and the rest of the datagram */ + ssl->next_record_offset = 0; + ssl->in_left = 0; - MBEDTLS_SSL_DEBUG_MSG( 1, ( "discarding invalid record (header)" ) ); + MBEDTLS_SSL_DEBUG_MSG( 1, ( "discarding invalid record " + "(header)" ) ); + } + + /* Get next record */ goto read_record_header; } #endif @@ -7071,6 +7097,23 @@ void mbedtls_ssl_config_init( mbedtls_ssl_config *conf ) memset( conf, 0, sizeof( mbedtls_ssl_config ) ); } +#if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) +static int ssl_preset_default_hashes[] = { +#if defined(MBEDTLS_SHA512_C) + MBEDTLS_MD_SHA512, + MBEDTLS_MD_SHA384, +#endif +#if defined(MBEDTLS_SHA256_C) + MBEDTLS_MD_SHA256, + MBEDTLS_MD_SHA224, +#endif +#if defined(MBEDTLS_SHA1_C) + MBEDTLS_MD_SHA1, +#endif + MBEDTLS_MD_NONE +}; +#endif + static int ssl_preset_suiteb_ciphersuites[] = { MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, @@ -7227,7 +7270,7 @@ int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf, #endif #if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) - conf->sig_hashes = mbedtls_md_list(); + conf->sig_hashes = ssl_preset_default_hashes; #endif #if defined(MBEDTLS_ECP_C) diff --git a/reactos/dll/3rdparty/mbedtls/x509_crt.c b/reactos/dll/3rdparty/mbedtls/x509_crt.c index 91e4f50b931..6dc5ad34f41 100644 --- a/reactos/dll/3rdparty/mbedtls/x509_crt.c +++ b/reactos/dll/3rdparty/mbedtls/x509_crt.c @@ -2253,18 +2253,8 @@ int mbedtls_x509_crt_verify_with_profile( mbedtls_x509_crt *crt, { /* Look for a parent upwards the chain */ for( parent = crt->next; parent != NULL; parent = parent->next ) - { - /* +2 because the current step is not yet accounted for - * and because max_pathlen is one higher than it should be */ - if( parent->max_pathlen > 0 && - parent->max_pathlen < 2 + pathlen ) - { - continue; - } - if( x509_crt_check_parent( crt, parent, 0, pathlen == 0 ) == 0 ) break; - } /* Are we part of the chain or at the top? */ if( parent != NULL ) diff --git a/reactos/include/reactos/libs/mbedtls/bignum.h b/reactos/include/reactos/libs/mbedtls/bignum.h index 146224a2b7a..aa51556a574 100644 --- a/reactos/include/reactos/libs/mbedtls/bignum.h +++ b/reactos/include/reactos/libs/mbedtls/bignum.h @@ -122,6 +122,7 @@ #define MBEDTLS_HAVE_INT64 typedef int64_t mbedtls_mpi_sint; typedef uint64_t mbedtls_mpi_uint; + /* mbedtls_t_udbl defined as 128-bit unsigned int */ typedef unsigned int mbedtls_t_udbl __attribute__((mode(TI))); #define MBEDTLS_HAVE_UDBL #else diff --git a/reactos/include/reactos/libs/mbedtls/compat-1.3.h b/reactos/include/reactos/libs/mbedtls/compat-1.3.h index 1ddfff8ccef..27abbd97207 100644 --- a/reactos/include/reactos/libs/mbedtls/compat-1.3.h +++ b/reactos/include/reactos/libs/mbedtls/compat-1.3.h @@ -1,7 +1,8 @@ /** - * \file config.h + * \file compat-1.3.h * - * \brief Compatibility names (set of defines) + * \brief Compatibility definitions for using mbed TLS with client code written + * for the PolarSSL naming conventions. * * \deprecated Use the new names directly instead * diff --git a/reactos/include/reactos/libs/mbedtls/config.h b/reactos/include/reactos/libs/mbedtls/config.h index bc10e641c51..34e55027c0b 100644 --- a/reactos/include/reactos/libs/mbedtls/config.h +++ b/reactos/include/reactos/libs/mbedtls/config.h @@ -3,6 +3,10 @@ * * \brief Configuration options (set of defines) * + * This set of compile-time options may be used to enable + * or disable features selectively, and reduce the global + * memory footprint. + * * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved * SPDX-License-Identifier: Apache-2.0 * @@ -21,20 +25,9 @@ * This file is part of mbed TLS (https://tls.mbed.org) */ -/* - * This set of compile-time options may be used to enable - * or disable features selectively, and reduce the global - * memory footprint. - */ #ifndef MBEDTLS_CONFIG_H #define MBEDTLS_CONFIG_H -#ifndef __REACTOS__ -#if defined(_MSC_VER) && !defined(_CRT_SECURE_NO_DEPRECATE) -#define _CRT_SECURE_NO_DEPRECATE 1 -#endif -#endif - /** * \name SECTION: System support * @@ -134,10 +127,10 @@ //#define MBEDTLS_PLATFORM_NO_STD_FUNCTIONS /** - * \def MBEDTLS_PLATFORM_XXX_ALT + * \def MBEDTLS_PLATFORM_EXIT_ALT * - * Uncomment a macro to let mbed TLS support the function in the platform - * abstraction layer. + * MBEDTLS_PLATFORM_XXX_ALT: Uncomment a macro to let mbed TLS support the + * function in the platform abstraction layer. * * Example: In case you uncomment MBEDTLS_PLATFORM_PRINTF_ALT, mbed TLS will * provide a function "mbedtls_platform_set_printf()" that allows you to set an @@ -210,12 +203,12 @@ //#define MBEDTLS_TIMING_ALT /** - * \def MBEDTLS__MODULE_NAME__ALT + * \def MBEDTLS_AES_ALT * - * Uncomment a macro to let mbed TLS use your alternate core implementation of - * a symmetric crypto or hash module (e.g. platform specific assembly - * optimized implementations). Keep in mind that the function prototypes - * should remain the same. + * MBEDTLS__MODULE_NAME__ALT: Uncomment a macro to let mbed TLS use your + * alternate core implementation of a symmetric crypto or hash module (e.g. + * platform specific assembly optimized implementations). Keep in mind that + * the function prototypes should remain the same. * * This replaces the whole module. If you only want to replace one of the * functions, use one of the MBEDTLS__FUNCTION_NAME__ALT flags. @@ -243,11 +236,11 @@ //#define MBEDTLS_SHA512_ALT /** - * \def MBEDTLS__FUNCTION_NAME__ALT + * \def MBEDTLS_MD2_PROCESS_ALT * - * Uncomment a macro to let mbed TLS use you alternate core implementation of - * symmetric crypto or hash function. Keep in mind that function prototypes - * should remain the same. + * MBEDTLS__FUNCTION_NAME__ALT: Uncomment a macro to let mbed TLS use you + * alternate core implementation of symmetric crypto or hash function. Keep in + * mind that function prototypes should remain the same. * * This replaces only one function. The header file from mbed TLS is still * used, in contrast to the MBEDTLS__MODULE_NAME__ALT flags. @@ -366,10 +359,11 @@ //#define MBEDTLS_CIPHER_NULL_CIPHER /** - * \def MBEDTLS_CIPHER_PADDING_XXX + * \def MBEDTLS_CIPHER_PADDING_PKCS7 * - * Uncomment or comment macros to add support for specific padding modes - * in the cipher layer with cipher modes that support padding (e.g. CBC) + * MBEDTLS_CIPHER_PADDING_XXX: Uncomment or comment macros to add support for + * specific padding modes in the cipher layer with cipher modes that support + * padding (e.g. CBC) * * If you disable all padding modes, only full blocks can be used with CBC. * @@ -409,10 +403,10 @@ #define MBEDTLS_REMOVE_ARC4_CIPHERSUITES /** - * \def MBEDTLS_ECP_XXXX_ENABLED + * \def MBEDTLS_ECP_DP_SECP192R1_ENABLED * - * Enables specific curves within the Elliptic Curve module. - * By default all supported curves are enabled. + * MBEDTLS_ECP_XXXX_ENABLED: Enables specific curves within the Elliptic Curve + * module. By default all supported curves are enabled. * * Comment macros to disable the curve and functions for it */ diff --git a/reactos/include/reactos/libs/mbedtls/ecjpake.h b/reactos/include/reactos/libs/mbedtls/ecjpake.h index 3bbf27edf10..b7b61604d07 100644 --- a/reactos/include/reactos/libs/mbedtls/ecjpake.h +++ b/reactos/include/reactos/libs/mbedtls/ecjpake.h @@ -64,7 +64,7 @@ typedef enum { * * In order to benefit from this symmetry, we choose a different naming * convetion from the Thread v1.0 spec. Correspondance is indicated in the - * description as a pair C: , S: + * description as a pair C: client name, S: server name */ typedef struct { diff --git a/reactos/include/reactos/libs/mbedtls/error.h b/reactos/include/reactos/libs/mbedtls/error.h index a182713d7c2..5e549f6b6a7 100644 --- a/reactos/include/reactos/libs/mbedtls/error.h +++ b/reactos/include/reactos/libs/mbedtls/error.h @@ -79,7 +79,7 @@ * ECP 4 8 (Started from top) * MD 5 4 * CIPHER 6 6 - * SSL 6 16 (Started from top) + * SSL 6 17 (Started from top) * SSL 7 31 * * Module dependent error code (5 bits 0x.00.-0x.F8.) diff --git a/reactos/include/reactos/libs/mbedtls/md.h b/reactos/include/reactos/libs/mbedtls/md.h index 77c2c6f6806..b90235533d5 100644 --- a/reactos/include/reactos/libs/mbedtls/md.h +++ b/reactos/include/reactos/libs/mbedtls/md.h @@ -1,5 +1,5 @@ /** - * \file mbedtls_md.h + * \file md.h * * \brief Generic message digest wrapper * diff --git a/reactos/include/reactos/libs/mbedtls/md2.h b/reactos/include/reactos/libs/mbedtls/md2.h index 51d79486b40..0f93fbf427d 100644 --- a/reactos/include/reactos/libs/mbedtls/md2.h +++ b/reactos/include/reactos/libs/mbedtls/md2.h @@ -1,5 +1,5 @@ /** - * \file mbedtls_md2.h + * \file md2.h * * \brief MD2 message digest algorithm (hash function) * diff --git a/reactos/include/reactos/libs/mbedtls/md4.h b/reactos/include/reactos/libs/mbedtls/md4.h index 12cb81dc5b5..45214d41d9f 100644 --- a/reactos/include/reactos/libs/mbedtls/md4.h +++ b/reactos/include/reactos/libs/mbedtls/md4.h @@ -1,5 +1,5 @@ /** - * \file mbedtls_md4.h + * \file md4.h * * \brief MD4 message digest algorithm (hash function) * diff --git a/reactos/include/reactos/libs/mbedtls/md5.h b/reactos/include/reactos/libs/mbedtls/md5.h index 09d8a947e0e..5a64061aa0c 100644 --- a/reactos/include/reactos/libs/mbedtls/md5.h +++ b/reactos/include/reactos/libs/mbedtls/md5.h @@ -1,5 +1,5 @@ /** - * \file mbedtls_md5.h + * \file md5.h * * \brief MD5 message digest algorithm (hash function) * diff --git a/reactos/include/reactos/libs/mbedtls/ripemd160.h b/reactos/include/reactos/libs/mbedtls/ripemd160.h index a92d3844940..7083fc8599f 100644 --- a/reactos/include/reactos/libs/mbedtls/ripemd160.h +++ b/reactos/include/reactos/libs/mbedtls/ripemd160.h @@ -1,5 +1,5 @@ /** - * \file mbedtls_ripemd160.h + * \file ripemd160.h * * \brief RIPE MD-160 message digest * diff --git a/reactos/include/reactos/libs/mbedtls/sha1.h b/reactos/include/reactos/libs/mbedtls/sha1.h index 2b74d06d082..7a67c6c1fb1 100644 --- a/reactos/include/reactos/libs/mbedtls/sha1.h +++ b/reactos/include/reactos/libs/mbedtls/sha1.h @@ -1,5 +1,5 @@ /** - * \file mbedtls_sha1.h + * \file sha1.h * * \brief SHA-1 cryptographic hash function * diff --git a/reactos/include/reactos/libs/mbedtls/sha256.h b/reactos/include/reactos/libs/mbedtls/sha256.h index bc8b226e244..f8041adf082 100644 --- a/reactos/include/reactos/libs/mbedtls/sha256.h +++ b/reactos/include/reactos/libs/mbedtls/sha256.h @@ -1,5 +1,5 @@ /** - * \file mbedtls_sha256.h + * \file sha256.h * * \brief SHA-224 and SHA-256 cryptographic hash function * diff --git a/reactos/include/reactos/libs/mbedtls/sha512.h b/reactos/include/reactos/libs/mbedtls/sha512.h index 9462764f196..627694f425f 100644 --- a/reactos/include/reactos/libs/mbedtls/sha512.h +++ b/reactos/include/reactos/libs/mbedtls/sha512.h @@ -1,5 +1,5 @@ /** - * \file mbedtls_sha512.h + * \file sha512.h * * \brief SHA-384 and SHA-512 cryptographic hash function * diff --git a/reactos/include/reactos/libs/mbedtls/ssl.h b/reactos/include/reactos/libs/mbedtls/ssl.h index 810409c6545..ff5f3897fb7 100644 --- a/reactos/include/reactos/libs/mbedtls/ssl.h +++ b/reactos/include/reactos/libs/mbedtls/ssl.h @@ -106,6 +106,7 @@ #define MBEDTLS_ERR_SSL_WANT_WRITE -0x6880 /**< Connection requires a write call. */ #define MBEDTLS_ERR_SSL_TIMEOUT -0x6800 /**< The operation timed out. */ #define MBEDTLS_ERR_SSL_CLIENT_RECONNECT -0x6780 /**< The client initiated a reconnect from the same port. */ +#define MBEDTLS_ERR_SSL_UNEXPECTED_RECORD -0x6700 /**< Record header looks valid but is not expected. */ /* * Various constants @@ -1610,7 +1611,7 @@ void mbedtls_ssl_conf_curves( mbedtls_ssl_config *conf, #if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) /** * \brief Set the allowed hashes for signatures during the handshake. - * (Default: all available hashes.) + * (Default: all available hashes except MD5.) * * \note This only affects which hashes are offered and can be used * for signatures during the handshake. Hashes for message @@ -2167,7 +2168,8 @@ int mbedtls_ssl_get_session( const mbedtls_ssl_context *ssl, mbedtls_ssl_session * \note If this function returns something other than 0 or * MBEDTLS_ERR_SSL_WANT_READ/WRITE, then the ssl context * becomes unusable, and you should either free it or call - * \c mbedtls_ssl_session_reset() on it before re-using it. + * \c mbedtls_ssl_session_reset() on it before re-using it for + * a new connection; the current connection must be closed. * * \note If DTLS is in use, then you may choose to handle * MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED specially for logging @@ -2183,6 +2185,12 @@ int mbedtls_ssl_handshake( mbedtls_ssl_context *ssl ); * the following state after execution of this function. * Do not call this function if state is MBEDTLS_SSL_HANDSHAKE_OVER. * + * \note If this function returns something other than 0 or + * MBEDTLS_ERR_SSL_WANT_READ/WRITE, then the ssl context + * becomes unusable, and you should either free it or call + * \c mbedtls_ssl_session_reset() on it before re-using it for + * a new connection; the current connection must be closed. + * * \param ssl SSL context * * \return 0 if successful, or @@ -2201,6 +2209,12 @@ int mbedtls_ssl_handshake_step( mbedtls_ssl_context *ssl ); * \param ssl SSL context * * \return 0 if successful, or any mbedtls_ssl_handshake() return value. + * + * \note If this function returns something other than 0 or + * MBEDTLS_ERR_SSL_WANT_READ/WRITE, then the ssl context + * becomes unusable, and you should either free it or call + * \c mbedtls_ssl_session_reset() on it before re-using it for + * a new connection; the current connection must be closed. */ int mbedtls_ssl_renegotiate( mbedtls_ssl_context *ssl ); #endif /* MBEDTLS_SSL_RENEGOTIATION */ @@ -2218,6 +2232,13 @@ int mbedtls_ssl_renegotiate( mbedtls_ssl_context *ssl ); * MBEDTLS_ERR_SSL_CLIENT_RECONNECT (see below), or * another negative error code. * + * \note If this function returns something other than a positive + * value or MBEDTLS_ERR_SSL_WANT_READ/WRITE or + * MBEDTLS_ERR_SSL_CLIENT_RECONNECT, then the ssl context + * becomes unusable, and you should either free it or call + * \c mbedtls_ssl_session_reset() on it before re-using it for + * a new connection; the current connection must be closed. + * * \note When this function return MBEDTLS_ERR_SSL_CLIENT_RECONNECT * (which can only happen server-side), it means that a client * is initiating a new connection using the same source port. @@ -2251,6 +2272,12 @@ int mbedtls_ssl_read( mbedtls_ssl_context *ssl, unsigned char *buf, size_t len ) * or MBEDTLS_ERR_SSL_WANT_WRITE of MBEDTLS_ERR_SSL_WANT_READ, * or another negative error code. * + * \note If this function returns something other than a positive + * value or MBEDTLS_ERR_SSL_WANT_READ/WRITE, the ssl context + * becomes unusable, and you should either free it or call + * \c mbedtls_ssl_session_reset() on it before re-using it for + * a new connection; the current connection must be closed. + * * \note When this function returns MBEDTLS_ERR_SSL_WANT_WRITE/READ, * it must be called later with the *same* arguments, * until it returns a positive value. @@ -2274,6 +2301,12 @@ int mbedtls_ssl_write( mbedtls_ssl_context *ssl, const unsigned char *buf, size_ * \param message The alert message (SSL_ALERT_MSG_*) * * \return 0 if successful, or a specific SSL error code. + * + * \note If this function returns something other than 0 or + * MBEDTLS_ERR_SSL_WANT_READ/WRITE, then the ssl context + * becomes unusable, and you should either free it or call + * \c mbedtls_ssl_session_reset() on it before re-using it for + * a new connection; the current connection must be closed. */ int mbedtls_ssl_send_alert_message( mbedtls_ssl_context *ssl, unsigned char level, @@ -2282,6 +2315,14 @@ int mbedtls_ssl_send_alert_message( mbedtls_ssl_context *ssl, * \brief Notify the peer that the connection is being closed * * \param ssl SSL context + * + * \return 0 if successful, or a specific SSL error code. + * + * \note If this function returns something other than 0 or + * MBEDTLS_ERR_SSL_WANT_READ/WRITE, then the ssl context + * becomes unusable, and you should either free it or call + * \c mbedtls_ssl_session_reset() on it before re-using it for + * a new connection; the current connection must be closed. */ int mbedtls_ssl_close_notify( mbedtls_ssl_context *ssl ); diff --git a/reactos/include/reactos/libs/mbedtls/version.h b/reactos/include/reactos/libs/mbedtls/version.h index df2a1a75e0f..ea2966e8ac4 100644 --- a/reactos/include/reactos/libs/mbedtls/version.h +++ b/reactos/include/reactos/libs/mbedtls/version.h @@ -39,16 +39,16 @@ */ #define MBEDTLS_VERSION_MAJOR 2 #define MBEDTLS_VERSION_MINOR 2 -#define MBEDTLS_VERSION_PATCH 0 +#define MBEDTLS_VERSION_PATCH 1 /** * The single version number has the following structure: * MMNNPP00 * Major version | Minor version | Patch version */ -#define MBEDTLS_VERSION_NUMBER 0x02020000 -#define MBEDTLS_VERSION_STRING "2.2.0" -#define MBEDTLS_VERSION_STRING_FULL "mbed TLS 2.2.0" +#define MBEDTLS_VERSION_NUMBER 0x02020100 +#define MBEDTLS_VERSION_STRING "2.2.1" +#define MBEDTLS_VERSION_STRING_FULL "mbed TLS 2.2.1" #if defined(MBEDTLS_VERSION_C) diff --git a/reactos/include/reactos/libs/mbedtls/x509_crl.h b/reactos/include/reactos/libs/mbedtls/x509_crl.h index c50c4efcaf7..79884399003 100644 --- a/reactos/include/reactos/libs/mbedtls/x509_crl.h +++ b/reactos/include/reactos/libs/mbedtls/x509_crl.h @@ -1,5 +1,5 @@ /** - * \file mbedtls_x509_crl.h + * \file x509_crl.h * * \brief X.509 certificate revocation list parsing * @@ -100,6 +100,7 @@ mbedtls_x509_crl; * * \param chain points to the start of the chain * \param buf buffer holding the CRL data in DER format + * \param buflen size of the buffer * (including the terminating null byte for PEM data) * * \return 0 if successful, or a specific X509 or PEM error code diff --git a/reactos/include/reactos/libs/mbedtls/x509_crt.h b/reactos/include/reactos/libs/mbedtls/x509_crt.h index 294f36a28a0..fe821d1cfb1 100644 --- a/reactos/include/reactos/libs/mbedtls/x509_crt.h +++ b/reactos/include/reactos/libs/mbedtls/x509_crt.h @@ -1,5 +1,5 @@ /** - * \file mbedtls_x509_crt.h + * \file x509_crt.h * * \brief X.509 certificate parsing and writing * diff --git a/reactos/include/reactos/libs/mbedtls/x509_csr.h b/reactos/include/reactos/libs/mbedtls/x509_csr.h index 98c75bcff4e..34998a3a59e 100644 --- a/reactos/include/reactos/libs/mbedtls/x509_csr.h +++ b/reactos/include/reactos/libs/mbedtls/x509_csr.h @@ -1,5 +1,5 @@ /** - * \file mbedtls_x509_csr.h + * \file x509_csr.h * * \brief X.509 certificate signing request parsing and writing * diff --git a/reactos/media/doc/3rd Party Files.txt b/reactos/media/doc/3rd Party Files.txt index 55f8c4d7ddc..de34c22f941 100644 --- a/reactos/media/doc/3rd Party Files.txt +++ b/reactos/media/doc/3rd Party Files.txt @@ -83,7 +83,7 @@ Used Version: 9a Website: http://www.ijg.org/ Title: mbed TLS -Used Version: 2.2.0 +Used Version: 2.2.1 Website: https://tls.mbed.org/ Title: libpng -- 2.17.1