From ca86ee9c037111718c0b2c1be284b987c445fdee Mon Sep 17 00:00:00 2001 From: Thomas Faber Date: Wed, 27 Mar 2019 15:40:37 +0100 Subject: [PATCH] [MBEDTLS] Update to version 2.7.10. CORE-15895 --- dll/3rdparty/mbedtls/asn1write.c | 28 +++++---- dll/3rdparty/mbedtls/bignum.c | 38 ++++++++----- dll/3rdparty/mbedtls/ecdsa.c | 9 ++- dll/3rdparty/mbedtls/ssl_ciphersuites.c | 57 ++++++++++++------- dll/3rdparty/mbedtls/version_features.c | 3 + dll/3rdparty/mbedtls/x509_csr.c | 15 ++++- dll/3rdparty/mbedtls/x509write_crt.c | 47 ++++++++++++--- dll/3rdparty/mbedtls/x509write_csr.c | 36 ++++++++++-- media/doc/3rd Party Files.txt | 2 +- sdk/include/reactos/libs/mbedtls/aesni.h | 6 ++ sdk/include/reactos/libs/mbedtls/asn1write.h | 31 ++++++---- sdk/include/reactos/libs/mbedtls/base64.h | 6 ++ sdk/include/reactos/libs/mbedtls/bn_mul.h | 8 ++- sdk/include/reactos/libs/mbedtls/ccm.h | 6 ++ sdk/include/reactos/libs/mbedtls/certs.h | 6 ++ sdk/include/reactos/libs/mbedtls/cmac.h | 6 ++ sdk/include/reactos/libs/mbedtls/compat-1.3.h | 6 ++ sdk/include/reactos/libs/mbedtls/config.h | 20 +++++++ sdk/include/reactos/libs/mbedtls/ctr_drbg.h | 6 ++ sdk/include/reactos/libs/mbedtls/ecdh.h | 6 ++ sdk/include/reactos/libs/mbedtls/ecdsa.h | 6 ++ sdk/include/reactos/libs/mbedtls/ecjpake.h | 5 ++ sdk/include/reactos/libs/mbedtls/ecp.h | 6 ++ .../reactos/libs/mbedtls/ecp_internal.h | 6 ++ sdk/include/reactos/libs/mbedtls/error.h | 6 ++ sdk/include/reactos/libs/mbedtls/gcm.h | 6 ++ sdk/include/reactos/libs/mbedtls/havege.h | 6 ++ sdk/include/reactos/libs/mbedtls/hmac_drbg.h | 6 ++ sdk/include/reactos/libs/mbedtls/net.h | 5 ++ sdk/include/reactos/libs/mbedtls/padlock.h | 6 ++ sdk/include/reactos/libs/mbedtls/pem.h | 6 ++ sdk/include/reactos/libs/mbedtls/pkcs12.h | 6 ++ sdk/include/reactos/libs/mbedtls/pkcs5.h | 6 ++ sdk/include/reactos/libs/mbedtls/ssl_cache.h | 6 ++ .../reactos/libs/mbedtls/ssl_ciphersuites.h | 6 ++ sdk/include/reactos/libs/mbedtls/ssl_cookie.h | 6 ++ .../reactos/libs/mbedtls/ssl_internal.h | 6 ++ sdk/include/reactos/libs/mbedtls/ssl_ticket.h | 6 ++ sdk/include/reactos/libs/mbedtls/version.h | 8 +-- sdk/include/reactos/libs/mbedtls/x509_csr.h | 8 +++ 40 files changed, 384 insertions(+), 80 deletions(-) diff --git a/dll/3rdparty/mbedtls/asn1write.c b/dll/3rdparty/mbedtls/asn1write.c index bbcba87ce5a..0025053cabe 100644 --- a/dll/3rdparty/mbedtls/asn1write.c +++ b/dll/3rdparty/mbedtls/asn1write.c @@ -296,22 +296,28 @@ int mbedtls_asn1_write_bitstring( unsigned char **p, unsigned char *start, const unsigned char *buf, size_t bits ) { int ret; - size_t len = 0, size; + size_t len = 0; + size_t unused_bits, byte_len; - size = ( bits / 8 ) + ( ( bits % 8 ) ? 1 : 0 ); + byte_len = ( bits + 7 ) / 8; + unused_bits = ( byte_len * 8 ) - bits; - // Calculate byte length - // - if( *p < start || (size_t)( *p - start ) < size + 1 ) + if( *p < start || (size_t)( *p - start ) < byte_len + 1 ) return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL ); - len = size + 1; - (*p) -= size; - memcpy( *p, buf, size ); + len = byte_len + 1; - // Write unused bits - // - *--(*p) = (unsigned char) (size * 8 - bits); + /* Write the bitstring. Ensure the unused bits are zeroed */ + if( byte_len > 0 ) + { + byte_len--; + *--( *p ) = buf[byte_len] & ~( ( 0x1 << unused_bits ) - 1 ); + ( *p ) -= byte_len; + memcpy( *p, buf, byte_len ); + } + + /* Write unused bits */ + *--( *p ) = (unsigned char)unused_bits; MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( p, start, len ) ); MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( p, start, MBEDTLS_ASN1_BIT_STRING ) ); diff --git a/dll/3rdparty/mbedtls/bignum.c b/dll/3rdparty/mbedtls/bignum.c index 7194bf895a7..9b4eee48937 100644 --- a/dll/3rdparty/mbedtls/bignum.c +++ b/dll/3rdparty/mbedtls/bignum.c @@ -502,26 +502,38 @@ cleanup: } /* - * Helper to write the digits high-order first + * Helper to write the digits high-order first. */ -static int mpi_write_hlp( mbedtls_mpi *X, int radix, char **p ) +static int mpi_write_hlp( mbedtls_mpi *X, int radix, + char **p, const size_t buflen ) { int ret; mbedtls_mpi_uint r; + size_t length = 0; + char *p_end = *p + buflen; - if( radix < 2 || radix > 16 ) - return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA ); + do + { + if( length >= buflen ) + { + return( MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL ); + } - MBEDTLS_MPI_CHK( mbedtls_mpi_mod_int( &r, X, radix ) ); - MBEDTLS_MPI_CHK( mbedtls_mpi_div_int( X, NULL, X, radix ) ); + MBEDTLS_MPI_CHK( mbedtls_mpi_mod_int( &r, X, radix ) ); + MBEDTLS_MPI_CHK( mbedtls_mpi_div_int( X, NULL, X, radix ) ); + /* + * Write the residue in the current position, as an ASCII character. + */ + if( r < 0xA ) + *(--p_end) = (char)( '0' + r ); + else + *(--p_end) = (char)( 'A' + ( r - 0xA ) ); - if( mbedtls_mpi_cmp_int( X, 0 ) != 0 ) - MBEDTLS_MPI_CHK( mpi_write_hlp( X, radix, p ) ); + length++; + } while( mbedtls_mpi_cmp_int( X, 0 ) != 0 ); - if( r < 10 ) - *(*p)++ = (char)( r + 0x30 ); - else - *(*p)++ = (char)( r + 0x37 ); + memmove( *p, p_end, length ); + *p += length; cleanup: @@ -591,7 +603,7 @@ int mbedtls_mpi_write_string( const mbedtls_mpi *X, int radix, if( T.s == -1 ) T.s = 1; - MBEDTLS_MPI_CHK( mpi_write_hlp( &T, radix, &p ) ); + MBEDTLS_MPI_CHK( mpi_write_hlp( &T, radix, &p, buflen ) ); } *p++ = '\0'; diff --git a/dll/3rdparty/mbedtls/ecdsa.c b/dll/3rdparty/mbedtls/ecdsa.c index e97e6cb4337..3f2cf1d31f8 100644 --- a/dll/3rdparty/mbedtls/ecdsa.c +++ b/dll/3rdparty/mbedtls/ecdsa.c @@ -422,8 +422,13 @@ cleanup: int mbedtls_ecdsa_genkey( mbedtls_ecdsa_context *ctx, mbedtls_ecp_group_id gid, int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ) { - return( mbedtls_ecp_group_load( &ctx->grp, gid ) || - mbedtls_ecp_gen_keypair( &ctx->grp, &ctx->d, &ctx->Q, f_rng, p_rng ) ); + int ret = 0; + ret = mbedtls_ecp_group_load( &ctx->grp, gid ); + if( ret != 0 ) + return( ret ); + + return( mbedtls_ecp_gen_keypair( &ctx->grp, &ctx->d, + &ctx->Q, f_rng, p_rng ) ); } #endif /* MBEDTLS_ECDSA_GENKEY_ALT */ diff --git a/dll/3rdparty/mbedtls/ssl_ciphersuites.c b/dll/3rdparty/mbedtls/ssl_ciphersuites.c index b9b21ad8f24..46d9a57674f 100644 --- a/dll/3rdparty/mbedtls/ssl_ciphersuites.c +++ b/dll/3rdparty/mbedtls/ssl_ciphersuites.c @@ -45,11 +45,11 @@ /* * Ordered from most preferred to least preferred in terms of security. * - * Current rule (except rc4, weak and null which come last): + * Current rule (except RC4 and 3DES, weak and null which come last): * 1. By key exchange: * Forward-secure non-PSK > forward-secure PSK > ECJPAKE > other non-PSK > other PSK * 2. By key length and cipher: - * AES-256 > Camellia-256 > AES-128 > Camellia-128 > 3DES + * AES-256 > Camellia-256 > AES-128 > Camellia-128 * 3. By cipher mode when relevant GCM > CCM > CBC > CCM_8 * 4. By hash function used when relevant * 5. By key exchange/auth again: EC > non-EC @@ -107,11 +107,6 @@ static const int ciphersuite_preference[] = MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256, MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, - /* All remaining >= 128-bit ephemeral suites */ - MBEDTLS_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, - MBEDTLS_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, - MBEDTLS_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, - /* The PSK ephemeral suites */ MBEDTLS_TLS_DHE_PSK_WITH_AES_256_GCM_SHA384, MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CCM, @@ -135,9 +130,6 @@ static const int ciphersuite_preference[] = MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256, MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CCM_8, - MBEDTLS_TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA, - MBEDTLS_TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA, - /* The ECJPAKE suite */ MBEDTLS_TLS_ECJPAKE_WITH_AES_128_CCM_8, @@ -185,11 +177,6 @@ static const int ciphersuite_preference[] = MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256, MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256, - /* All remaining >= 128-bit suites */ - MBEDTLS_TLS_RSA_WITH_3DES_EDE_CBC_SHA, - MBEDTLS_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, - MBEDTLS_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, - /* The RSA PSK suites */ MBEDTLS_TLS_RSA_PSK_WITH_AES_256_GCM_SHA384, MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA384, @@ -203,8 +190,6 @@ static const int ciphersuite_preference[] = MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256, MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256, - MBEDTLS_TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA, - /* The PSK suites */ MBEDTLS_TLS_PSK_WITH_AES_256_GCM_SHA384, MBEDTLS_TLS_PSK_WITH_AES_256_CCM, @@ -222,6 +207,16 @@ static const int ciphersuite_preference[] = MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256, MBEDTLS_TLS_PSK_WITH_AES_128_CCM_8, + /* 3DES suites */ + MBEDTLS_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, + MBEDTLS_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, + MBEDTLS_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, + MBEDTLS_TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA, + MBEDTLS_TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA, + MBEDTLS_TLS_RSA_WITH_3DES_EDE_CBC_SHA, + MBEDTLS_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, + MBEDTLS_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, + MBEDTLS_TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA, MBEDTLS_TLS_PSK_WITH_3DES_EDE_CBC_SHA, /* RC4 suites */ @@ -1706,6 +1701,26 @@ const int *mbedtls_ssl_list_ciphersuites( void ) static int supported_ciphersuites[MAX_CIPHERSUITES]; static int supported_init = 0; +static int ciphersuite_is_removed( const mbedtls_ssl_ciphersuite_t *cs_info ) +{ + (void)cs_info; + +#if defined(MBEDTLS_REMOVE_ARC4_CIPHERSUITES) + if( cs_info->cipher == MBEDTLS_CIPHER_ARC4_128 ) + return( 1 ); +#endif /* MBEDTLS_REMOVE_ARC4_CIPHERSUITES */ + +#if defined(MBEDTLS_REMOVE_3DES_CIPHERSUITES) + if( cs_info->cipher == MBEDTLS_CIPHER_DES_EDE3_ECB || + cs_info->cipher == MBEDTLS_CIPHER_DES_EDE3_CBC ) + { + return( 1 ); + } +#endif /* MBEDTLS_REMOVE_3DES_CIPHERSUITES */ + + return( 0 ); +} + const int *mbedtls_ssl_list_ciphersuites( void ) { /* @@ -1721,14 +1736,12 @@ const int *mbedtls_ssl_list_ciphersuites( void ) *p != 0 && q < supported_ciphersuites + MAX_CIPHERSUITES - 1; p++ ) { -#if defined(MBEDTLS_REMOVE_ARC4_CIPHERSUITES) const mbedtls_ssl_ciphersuite_t *cs_info; if( ( cs_info = mbedtls_ssl_ciphersuite_from_id( *p ) ) != NULL && - cs_info->cipher != MBEDTLS_CIPHER_ARC4_128 ) -#else - if( mbedtls_ssl_ciphersuite_from_id( *p ) != NULL ) -#endif + !ciphersuite_is_removed( cs_info ) ) + { *(q++) = *p; + } } *q = 0; diff --git a/dll/3rdparty/mbedtls/version_features.c b/dll/3rdparty/mbedtls/version_features.c index e4605a4f009..eaae48cce53 100644 --- a/dll/3rdparty/mbedtls/version_features.c +++ b/dll/3rdparty/mbedtls/version_features.c @@ -272,6 +272,9 @@ static const char *features[] = { #if defined(MBEDTLS_REMOVE_ARC4_CIPHERSUITES) "MBEDTLS_REMOVE_ARC4_CIPHERSUITES", #endif /* MBEDTLS_REMOVE_ARC4_CIPHERSUITES */ +#if defined(MBEDTLS_REMOVE_3DES_CIPHERSUITES) + "MBEDTLS_REMOVE_3DES_CIPHERSUITES", +#endif /* MBEDTLS_REMOVE_3DES_CIPHERSUITES */ #if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED) "MBEDTLS_ECP_DP_SECP192R1_ENABLED", #endif /* MBEDTLS_ECP_DP_SECP192R1_ENABLED */ diff --git a/dll/3rdparty/mbedtls/x509_csr.c b/dll/3rdparty/mbedtls/x509_csr.c index c1536135778..7598938d0c4 100644 --- a/dll/3rdparty/mbedtls/x509_csr.c +++ b/dll/3rdparty/mbedtls/x509_csr.c @@ -285,15 +285,24 @@ int mbedtls_x509_csr_parse( mbedtls_x509_csr *csr, const unsigned char *buf, siz { mbedtls_pem_init( &pem ); ret = mbedtls_pem_read_buffer( &pem, - "-----BEGIN CERTIFICATE REQUEST-----", - "-----END CERTIFICATE REQUEST-----", - buf, NULL, 0, &use_len ); + "-----BEGIN CERTIFICATE REQUEST-----", + "-----END CERTIFICATE REQUEST-----", + buf, NULL, 0, &use_len ); + if( ret == MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT ) + { + ret = mbedtls_pem_read_buffer( &pem, + "-----BEGIN NEW CERTIFICATE REQUEST-----", + "-----END NEW CERTIFICATE REQUEST-----", + buf, NULL, 0, &use_len ); + } if( ret == 0 ) + { /* * Was PEM encoded, parse the result */ ret = mbedtls_x509_csr_parse_der( csr, pem.buf, pem.buflen ); + } mbedtls_pem_free( &pem ); if( ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT ) diff --git a/dll/3rdparty/mbedtls/x509write_crt.c b/dll/3rdparty/mbedtls/x509write_crt.c index 3512be5f1da..a3aeeb5edcc 100644 --- a/dll/3rdparty/mbedtls/x509write_crt.c +++ b/dll/3rdparty/mbedtls/x509write_crt.c @@ -224,26 +224,51 @@ int mbedtls_x509write_crt_set_authority_key_identifier( mbedtls_x509write_cert * } #endif /* MBEDTLS_SHA1_C */ +static size_t crt_get_unused_bits_for_named_bitstring( unsigned char bitstring, + size_t bit_offset ) +{ + size_t unused_bits; + + /* Count the unused bits removing trailing 0s */ + for( unused_bits = bit_offset; unused_bits < 8; unused_bits++ ) + if( ( ( bitstring >> unused_bits ) & 0x1 ) != 0 ) + break; + + return( unused_bits ); +} + int mbedtls_x509write_crt_set_key_usage( mbedtls_x509write_cert *ctx, unsigned int key_usage ) { unsigned char buf[4], ku; unsigned char *c; int ret; - - /* We currently only support 7 bits, from 0x80 to 0x02 */ - if( ( key_usage & ~0xfe ) != 0 ) + size_t unused_bits; + const unsigned int allowed_bits = MBEDTLS_X509_KU_DIGITAL_SIGNATURE | + MBEDTLS_X509_KU_NON_REPUDIATION | + MBEDTLS_X509_KU_KEY_ENCIPHERMENT | + MBEDTLS_X509_KU_DATA_ENCIPHERMENT | + MBEDTLS_X509_KU_KEY_AGREEMENT | + MBEDTLS_X509_KU_KEY_CERT_SIGN | + MBEDTLS_X509_KU_CRL_SIGN; + + /* Check that nothing other than the allowed flags is set */ + if( ( key_usage & ~allowed_bits ) != 0 ) return( MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE ); c = buf + 4; - ku = (unsigned char) key_usage; + ku = (unsigned char)key_usage; + unused_bits = crt_get_unused_bits_for_named_bitstring( ku, 1 ); + ret = mbedtls_asn1_write_bitstring( &c, buf, &ku, 8 - unused_bits ); - if( ( ret = mbedtls_asn1_write_bitstring( &c, buf, &ku, 7 ) ) != 4 ) + if( ret < 0 ) return( ret ); + else if( ret < 3 || ret > 4 ) + return( MBEDTLS_ERR_X509_INVALID_FORMAT ); ret = mbedtls_x509write_crt_set_extension( ctx, MBEDTLS_OID_KEY_USAGE, MBEDTLS_OID_SIZE( MBEDTLS_OID_KEY_USAGE ), - 1, buf, 4 ); + 1, c, (size_t)ret ); if( ret != 0 ) return( ret ); @@ -255,16 +280,22 @@ int mbedtls_x509write_crt_set_ns_cert_type( mbedtls_x509write_cert *ctx, { unsigned char buf[4]; unsigned char *c; + size_t unused_bits; int ret; c = buf + 4; - if( ( ret = mbedtls_asn1_write_bitstring( &c, buf, &ns_cert_type, 8 ) ) != 4 ) + unused_bits = crt_get_unused_bits_for_named_bitstring( ns_cert_type, 0 ); + ret = mbedtls_asn1_write_bitstring( &c, + buf, + &ns_cert_type, + 8 - unused_bits ); + if( ret < 3 || ret > 4 ) return( ret ); ret = mbedtls_x509write_crt_set_extension( ctx, MBEDTLS_OID_NS_CERT_TYPE, MBEDTLS_OID_SIZE( MBEDTLS_OID_NS_CERT_TYPE ), - 0, buf, 4 ); + 0, c, (size_t)ret ); if( ret != 0 ) return( ret ); diff --git a/dll/3rdparty/mbedtls/x509write_csr.c b/dll/3rdparty/mbedtls/x509write_csr.c index 1db31c3ef45..394fa3f3fc8 100644 --- a/dll/3rdparty/mbedtls/x509write_csr.c +++ b/dll/3rdparty/mbedtls/x509write_csr.c @@ -87,20 +87,39 @@ int mbedtls_x509write_csr_set_extension( mbedtls_x509write_csr *ctx, 0, val, val_len ); } +static size_t csr_get_unused_bits_for_named_bitstring( unsigned char bitstring, + size_t bit_offset ) +{ + size_t unused_bits; + + /* Count the unused bits removing trailing 0s */ + for( unused_bits = bit_offset; unused_bits < 8; unused_bits++ ) + if( ( ( bitstring >> unused_bits ) & 0x1 ) != 0 ) + break; + + return( unused_bits ); +} + int mbedtls_x509write_csr_set_key_usage( mbedtls_x509write_csr *ctx, unsigned char key_usage ) { unsigned char buf[4]; unsigned char *c; + size_t unused_bits; int ret; c = buf + 4; - if( ( ret = mbedtls_asn1_write_bitstring( &c, buf, &key_usage, 7 ) ) != 4 ) + unused_bits = csr_get_unused_bits_for_named_bitstring( key_usage, 0 ); + ret = mbedtls_asn1_write_bitstring( &c, buf, &key_usage, 8 - unused_bits ); + + if( ret < 0 ) return( ret ); + else if( ret < 3 || ret > 4 ) + return( MBEDTLS_ERR_X509_INVALID_FORMAT ); ret = mbedtls_x509write_csr_set_extension( ctx, MBEDTLS_OID_KEY_USAGE, MBEDTLS_OID_SIZE( MBEDTLS_OID_KEY_USAGE ), - buf, 4 ); + c, (size_t)ret ); if( ret != 0 ) return( ret ); @@ -112,16 +131,25 @@ int mbedtls_x509write_csr_set_ns_cert_type( mbedtls_x509write_csr *ctx, { unsigned char buf[4]; unsigned char *c; + size_t unused_bits; int ret; c = buf + 4; - if( ( ret = mbedtls_asn1_write_bitstring( &c, buf, &ns_cert_type, 8 ) ) != 4 ) + unused_bits = csr_get_unused_bits_for_named_bitstring( ns_cert_type, 0 ); + ret = mbedtls_asn1_write_bitstring( &c, + buf, + &ns_cert_type, + 8 - unused_bits ); + + if( ret < 0 ) + return( ret ); + else if( ret < 3 || ret > 4 ) return( ret ); ret = mbedtls_x509write_csr_set_extension( ctx, MBEDTLS_OID_NS_CERT_TYPE, MBEDTLS_OID_SIZE( MBEDTLS_OID_NS_CERT_TYPE ), - buf, 4 ); + c, (size_t)ret ); if( ret != 0 ) return( ret ); diff --git a/media/doc/3rd Party Files.txt b/media/doc/3rd Party Files.txt index e82f0aff3f8..eae8f6caff3 100644 --- a/media/doc/3rd Party Files.txt +++ b/media/doc/3rd Party Files.txt @@ -87,7 +87,7 @@ Used Version: 4.0.10 Website: http://www.simplesystems.org/libtiff/ Title: mbed TLS -Used Version: 2.7.9 +Used Version: 2.7.10 Website: https://tls.mbed.org/ Title: libpng diff --git a/sdk/include/reactos/libs/mbedtls/aesni.h b/sdk/include/reactos/libs/mbedtls/aesni.h index 1aebdfc0e90..c2fec4da604 100644 --- a/sdk/include/reactos/libs/mbedtls/aesni.h +++ b/sdk/include/reactos/libs/mbedtls/aesni.h @@ -26,6 +26,12 @@ #ifndef MBEDTLS_AESNI_H #define MBEDTLS_AESNI_H +#if !defined(MBEDTLS_CONFIG_FILE) +#include "config.h" +#else +#include MBEDTLS_CONFIG_FILE +#endif + #include "aes.h" #define MBEDTLS_AESNI_AES 0x02000000u diff --git a/sdk/include/reactos/libs/mbedtls/asn1write.h b/sdk/include/reactos/libs/mbedtls/asn1write.h index 0b832e5c2aa..2ced49d9780 100644 --- a/sdk/include/reactos/libs/mbedtls/asn1write.h +++ b/sdk/include/reactos/libs/mbedtls/asn1write.h @@ -26,6 +26,12 @@ #ifndef MBEDTLS_ASN1_WRITE_H #define MBEDTLS_ASN1_WRITE_H +#if !defined(MBEDTLS_CONFIG_FILE) +#include "config.h" +#else +#include MBEDTLS_CONFIG_FILE +#endif + #include "asn1.h" #define MBEDTLS_ASN1_CHK_ADD(g, f) do { if( ( ret = f ) < 0 ) return( ret ); else \ @@ -185,24 +191,27 @@ int mbedtls_asn1_write_ia5_string( unsigned char **p, unsigned char *start, const char *text, size_t text_len ); /** - * \brief Write a bitstring tag (MBEDTLS_ASN1_BIT_STRING) and - * value in ASN.1 format - * Note: function works backwards in data buffer + * \brief Write a bitstring tag (#MBEDTLS_ASN1_BIT_STRING) and + * value in ASN.1 format. * - * \param p reference to current position pointer - * \param start start of the buffer (for bounds-checking) - * \param buf the bitstring - * \param bits the total number of bits in the bitstring + * \note This function works backwards in data buffer. * - * \return the length written or a negative error code + * \param p The reference to the current position pointer. + * \param start The start of the buffer, for bounds-checking. + * \param buf The bitstring to write. + * \param bits The total number of bits in the bitstring. + * + * \return The number of bytes written to \p p on success. + * \return A negative error code on failure. */ int mbedtls_asn1_write_bitstring( unsigned char **p, unsigned char *start, const unsigned char *buf, size_t bits ); /** - * \brief Write an octet string tag (MBEDTLS_ASN1_OCTET_STRING) and - * value in ASN.1 format - * Note: function works backwards in data buffer + * \brief Write an octet string tag (#MBEDTLS_ASN1_OCTET_STRING) + * and value in ASN.1 format. + * + * \note This function works backwards in data buffer. * * \param p reference to current position pointer * \param start start of the buffer (for bounds-checking) diff --git a/sdk/include/reactos/libs/mbedtls/base64.h b/sdk/include/reactos/libs/mbedtls/base64.h index ce5563e1d4f..478a3d6f246 100644 --- a/sdk/include/reactos/libs/mbedtls/base64.h +++ b/sdk/include/reactos/libs/mbedtls/base64.h @@ -26,6 +26,12 @@ #ifndef MBEDTLS_BASE64_H #define MBEDTLS_BASE64_H +#if !defined(MBEDTLS_CONFIG_FILE) +#include "config.h" +#else +#include MBEDTLS_CONFIG_FILE +#endif + #include #define MBEDTLS_ERR_BASE64_BUFFER_TOO_SMALL -0x002A /**< Output buffer too small. */ diff --git a/sdk/include/reactos/libs/mbedtls/bn_mul.h b/sdk/include/reactos/libs/mbedtls/bn_mul.h index 34ff50fb07e..b5bbd71dc35 100644 --- a/sdk/include/reactos/libs/mbedtls/bn_mul.h +++ b/sdk/include/reactos/libs/mbedtls/bn_mul.h @@ -40,6 +40,12 @@ #ifndef MBEDTLS_BN_MUL_H #define MBEDTLS_BN_MUL_H +#if !defined(MBEDTLS_CONFIG_FILE) +#include "config.h" +#else +#include MBEDTLS_CONFIG_FILE +#endif + #include "bignum.h" #if defined(MBEDTLS_HAVE_ASM) @@ -736,7 +742,7 @@ "sw $10, %2 \n\t" \ : "=m" (c), "=m" (d), "=m" (s) \ : "m" (s), "m" (d), "m" (c), "m" (b) \ - : "$9", "$10", "$11", "$12", "$13", "$14", "$15" \ + : "$9", "$10", "$11", "$12", "$13", "$14", "$15", "lo", "hi" \ ); #endif /* MIPS */ diff --git a/sdk/include/reactos/libs/mbedtls/ccm.h b/sdk/include/reactos/libs/mbedtls/ccm.h index 435009a7a14..f826b4491ee 100644 --- a/sdk/include/reactos/libs/mbedtls/ccm.h +++ b/sdk/include/reactos/libs/mbedtls/ccm.h @@ -36,6 +36,12 @@ #ifndef MBEDTLS_CCM_H #define MBEDTLS_CCM_H +#if !defined(MBEDTLS_CONFIG_FILE) +#include "config.h" +#else +#include MBEDTLS_CONFIG_FILE +#endif + #include "cipher.h" #define MBEDTLS_ERR_CCM_BAD_INPUT -0x000D /**< Bad input parameters to the function. */ diff --git a/sdk/include/reactos/libs/mbedtls/certs.h b/sdk/include/reactos/libs/mbedtls/certs.h index ae0f84a307d..31a6e86bba8 100644 --- a/sdk/include/reactos/libs/mbedtls/certs.h +++ b/sdk/include/reactos/libs/mbedtls/certs.h @@ -26,6 +26,12 @@ #ifndef MBEDTLS_CERTS_H #define MBEDTLS_CERTS_H +#if !defined(MBEDTLS_CONFIG_FILE) +#include "config.h" +#else +#include MBEDTLS_CONFIG_FILE +#endif + #include #ifdef __cplusplus diff --git a/sdk/include/reactos/libs/mbedtls/cmac.h b/sdk/include/reactos/libs/mbedtls/cmac.h index 7ab0c1056b5..e0c23cb55ec 100644 --- a/sdk/include/reactos/libs/mbedtls/cmac.h +++ b/sdk/include/reactos/libs/mbedtls/cmac.h @@ -28,6 +28,12 @@ #ifndef MBEDTLS_CMAC_H #define MBEDTLS_CMAC_H +#if !defined(MBEDTLS_CONFIG_FILE) +#include "config.h" +#else +#include MBEDTLS_CONFIG_FILE +#endif + #include "cipher.h" #ifdef __cplusplus diff --git a/sdk/include/reactos/libs/mbedtls/compat-1.3.h b/sdk/include/reactos/libs/mbedtls/compat-1.3.h index 21ded5db82c..45647b0393d 100644 --- a/sdk/include/reactos/libs/mbedtls/compat-1.3.h +++ b/sdk/include/reactos/libs/mbedtls/compat-1.3.h @@ -27,6 +27,12 @@ * This file is part of mbed TLS (https://tls.mbed.org) */ +#if !defined(MBEDTLS_CONFIG_FILE) +#include "config.h" +#else +#include MBEDTLS_CONFIG_FILE +#endif + #if ! defined(MBEDTLS_DEPRECATED_REMOVED) #if defined(MBEDTLS_DEPRECATED_WARNING) diff --git a/sdk/include/reactos/libs/mbedtls/config.h b/sdk/include/reactos/libs/mbedtls/config.h index 912b5564c55..4e78b52b6df 100644 --- a/sdk/include/reactos/libs/mbedtls/config.h +++ b/sdk/include/reactos/libs/mbedtls/config.h @@ -558,6 +558,26 @@ */ #define MBEDTLS_REMOVE_ARC4_CIPHERSUITES +/** + * \def MBEDTLS_REMOVE_3DES_CIPHERSUITES + * + * Remove 3DES ciphersuites by default in SSL / TLS. + * This flag removes the ciphersuites based on 3DES from the default list as + * returned by mbedtls_ssl_list_ciphersuites(). However, it is still possible + * to enable (some of) them with mbedtls_ssl_conf_ciphersuites() by including + * them explicitly. + * + * A man-in-the-browser attacker can recover authentication tokens sent through + * a TLS connection using a 3DES based cipher suite (see "On the Practical + * (In-)Security of 64-bit Block Ciphers" by Karthikeyan Bhargavan and Gaëtan + * Leurent, see https://sweet32.info/SWEET32_CCS16.pdf). If this attack falls + * in your threat model or you are unsure, then you should keep this option + * enabled to remove 3DES based cipher suites. + * + * Comment this macro to keep 3DES in the default ciphersuite list. + */ +#define MBEDTLS_REMOVE_3DES_CIPHERSUITES + /** * \def MBEDTLS_ECP_DP_SECP192R1_ENABLED * diff --git a/sdk/include/reactos/libs/mbedtls/ctr_drbg.h b/sdk/include/reactos/libs/mbedtls/ctr_drbg.h index dedce771a9e..eec3f7c8889 100644 --- a/sdk/include/reactos/libs/mbedtls/ctr_drbg.h +++ b/sdk/include/reactos/libs/mbedtls/ctr_drbg.h @@ -30,6 +30,12 @@ #ifndef MBEDTLS_CTR_DRBG_H #define MBEDTLS_CTR_DRBG_H +#if !defined(MBEDTLS_CONFIG_FILE) +#include "config.h" +#else +#include MBEDTLS_CONFIG_FILE +#endif + #include "aes.h" #if defined(MBEDTLS_THREADING_C) diff --git a/sdk/include/reactos/libs/mbedtls/ecdh.h b/sdk/include/reactos/libs/mbedtls/ecdh.h index d5bc59f5a47..6cfa7119cb2 100644 --- a/sdk/include/reactos/libs/mbedtls/ecdh.h +++ b/sdk/include/reactos/libs/mbedtls/ecdh.h @@ -35,6 +35,12 @@ #ifndef MBEDTLS_ECDH_H #define MBEDTLS_ECDH_H +#if !defined(MBEDTLS_CONFIG_FILE) +#include "config.h" +#else +#include MBEDTLS_CONFIG_FILE +#endif + #include "ecp.h" #ifdef __cplusplus diff --git a/sdk/include/reactos/libs/mbedtls/ecdsa.h b/sdk/include/reactos/libs/mbedtls/ecdsa.h index 68b4931f446..9659bc07f20 100644 --- a/sdk/include/reactos/libs/mbedtls/ecdsa.h +++ b/sdk/include/reactos/libs/mbedtls/ecdsa.h @@ -33,6 +33,12 @@ #ifndef MBEDTLS_ECDSA_H #define MBEDTLS_ECDSA_H +#if !defined(MBEDTLS_CONFIG_FILE) +#include "config.h" +#else +#include MBEDTLS_CONFIG_FILE +#endif + #include "ecp.h" #include "md.h" diff --git a/sdk/include/reactos/libs/mbedtls/ecjpake.h b/sdk/include/reactos/libs/mbedtls/ecjpake.h index 2107f31a624..fca04774226 100644 --- a/sdk/include/reactos/libs/mbedtls/ecjpake.h +++ b/sdk/include/reactos/libs/mbedtls/ecjpake.h @@ -42,6 +42,11 @@ * The payloads are serialized in a way suitable for use in TLS, but could * also be use outside TLS. */ +#if !defined(MBEDTLS_CONFIG_FILE) +#include "config.h" +#else +#include MBEDTLS_CONFIG_FILE +#endif #include "ecp.h" #include "md.h" diff --git a/sdk/include/reactos/libs/mbedtls/ecp.h b/sdk/include/reactos/libs/mbedtls/ecp.h index 2d0ddcf75c1..adac0b2dc0a 100644 --- a/sdk/include/reactos/libs/mbedtls/ecp.h +++ b/sdk/include/reactos/libs/mbedtls/ecp.h @@ -26,6 +26,12 @@ #ifndef MBEDTLS_ECP_H #define MBEDTLS_ECP_H +#if !defined(MBEDTLS_CONFIG_FILE) +#include "config.h" +#else +#include MBEDTLS_CONFIG_FILE +#endif + #include "bignum.h" /* diff --git a/sdk/include/reactos/libs/mbedtls/ecp_internal.h b/sdk/include/reactos/libs/mbedtls/ecp_internal.h index 73bccd4269d..70afecdf106 100644 --- a/sdk/include/reactos/libs/mbedtls/ecp_internal.h +++ b/sdk/include/reactos/libs/mbedtls/ecp_internal.h @@ -63,6 +63,12 @@ #ifndef MBEDTLS_ECP_INTERNAL_H #define MBEDTLS_ECP_INTERNAL_H +#if !defined(MBEDTLS_CONFIG_FILE) +#include "config.h" +#else +#include MBEDTLS_CONFIG_FILE +#endif + #if defined(MBEDTLS_ECP_INTERNAL_ALT) /** diff --git a/sdk/include/reactos/libs/mbedtls/error.h b/sdk/include/reactos/libs/mbedtls/error.h index cb0548ba78a..363675709df 100644 --- a/sdk/include/reactos/libs/mbedtls/error.h +++ b/sdk/include/reactos/libs/mbedtls/error.h @@ -26,6 +26,12 @@ #ifndef MBEDTLS_ERROR_H #define MBEDTLS_ERROR_H +#if !defined(MBEDTLS_CONFIG_FILE) +#include "config.h" +#else +#include MBEDTLS_CONFIG_FILE +#endif + #include /** diff --git a/sdk/include/reactos/libs/mbedtls/gcm.h b/sdk/include/reactos/libs/mbedtls/gcm.h index 081c1f1a682..5778d3fbb93 100644 --- a/sdk/include/reactos/libs/mbedtls/gcm.h +++ b/sdk/include/reactos/libs/mbedtls/gcm.h @@ -33,6 +33,12 @@ #ifndef MBEDTLS_GCM_H #define MBEDTLS_GCM_H +#if !defined(MBEDTLS_CONFIG_FILE) +#include "config.h" +#else +#include MBEDTLS_CONFIG_FILE +#endif + #include "cipher.h" #include diff --git a/sdk/include/reactos/libs/mbedtls/havege.h b/sdk/include/reactos/libs/mbedtls/havege.h index 34229e6265e..37ccfe3568a 100644 --- a/sdk/include/reactos/libs/mbedtls/havege.h +++ b/sdk/include/reactos/libs/mbedtls/havege.h @@ -26,6 +26,12 @@ #ifndef MBEDTLS_HAVEGE_H #define MBEDTLS_HAVEGE_H +#if !defined(MBEDTLS_CONFIG_FILE) +#include "config.h" +#else +#include MBEDTLS_CONFIG_FILE +#endif + #include #define MBEDTLS_HAVEGE_COLLECT_SIZE 1024 diff --git a/sdk/include/reactos/libs/mbedtls/hmac_drbg.h b/sdk/include/reactos/libs/mbedtls/hmac_drbg.h index 91b1dbda9e9..71f6c358123 100644 --- a/sdk/include/reactos/libs/mbedtls/hmac_drbg.h +++ b/sdk/include/reactos/libs/mbedtls/hmac_drbg.h @@ -26,6 +26,12 @@ #ifndef MBEDTLS_HMAC_DRBG_H #define MBEDTLS_HMAC_DRBG_H +#if !defined(MBEDTLS_CONFIG_FILE) +#include "config.h" +#else +#include MBEDTLS_CONFIG_FILE +#endif + #include "md.h" #if defined(MBEDTLS_THREADING_C) diff --git a/sdk/include/reactos/libs/mbedtls/net.h b/sdk/include/reactos/libs/mbedtls/net.h index 84d2955dc35..c18671259cb 100644 --- a/sdk/include/reactos/libs/mbedtls/net.h +++ b/sdk/include/reactos/libs/mbedtls/net.h @@ -25,6 +25,11 @@ * * This file is part of mbed TLS (https://tls.mbed.org) */ +#if !defined(MBEDTLS_CONFIG_FILE) +#include "config.h" +#else +#include MBEDTLS_CONFIG_FILE +#endif #if !defined(MBEDTLS_DEPRECATED_REMOVED) #include "net_sockets.h" diff --git a/sdk/include/reactos/libs/mbedtls/padlock.h b/sdk/include/reactos/libs/mbedtls/padlock.h index 705a812cb95..9333119aaef 100644 --- a/sdk/include/reactos/libs/mbedtls/padlock.h +++ b/sdk/include/reactos/libs/mbedtls/padlock.h @@ -27,6 +27,12 @@ #ifndef MBEDTLS_PADLOCK_H #define MBEDTLS_PADLOCK_H +#if !defined(MBEDTLS_CONFIG_FILE) +#include "config.h" +#else +#include MBEDTLS_CONFIG_FILE +#endif + #include "aes.h" #define MBEDTLS_ERR_PADLOCK_DATA_MISALIGNED -0x0030 /**< Input data should be aligned. */ diff --git a/sdk/include/reactos/libs/mbedtls/pem.h b/sdk/include/reactos/libs/mbedtls/pem.h index 06a648371e5..6e8443359a6 100644 --- a/sdk/include/reactos/libs/mbedtls/pem.h +++ b/sdk/include/reactos/libs/mbedtls/pem.h @@ -26,6 +26,12 @@ #ifndef MBEDTLS_PEM_H #define MBEDTLS_PEM_H +#if !defined(MBEDTLS_CONFIG_FILE) +#include "config.h" +#else +#include MBEDTLS_CONFIG_FILE +#endif + #include /** diff --git a/sdk/include/reactos/libs/mbedtls/pkcs12.h b/sdk/include/reactos/libs/mbedtls/pkcs12.h index 1b6f449a0b8..86b85125aed 100644 --- a/sdk/include/reactos/libs/mbedtls/pkcs12.h +++ b/sdk/include/reactos/libs/mbedtls/pkcs12.h @@ -26,6 +26,12 @@ #ifndef MBEDTLS_PKCS12_H #define MBEDTLS_PKCS12_H +#if !defined(MBEDTLS_CONFIG_FILE) +#include "config.h" +#else +#include MBEDTLS_CONFIG_FILE +#endif + #include "md.h" #include "cipher.h" #include "asn1.h" diff --git a/sdk/include/reactos/libs/mbedtls/pkcs5.h b/sdk/include/reactos/libs/mbedtls/pkcs5.h index ffd729fdacd..c936c032eda 100644 --- a/sdk/include/reactos/libs/mbedtls/pkcs5.h +++ b/sdk/include/reactos/libs/mbedtls/pkcs5.h @@ -28,6 +28,12 @@ #ifndef MBEDTLS_PKCS5_H #define MBEDTLS_PKCS5_H +#if !defined(MBEDTLS_CONFIG_FILE) +#include "config.h" +#else +#include MBEDTLS_CONFIG_FILE +#endif + #include "asn1.h" #include "md.h" diff --git a/sdk/include/reactos/libs/mbedtls/ssl_cache.h b/sdk/include/reactos/libs/mbedtls/ssl_cache.h index 3252075e07e..0a9367c61cb 100644 --- a/sdk/include/reactos/libs/mbedtls/ssl_cache.h +++ b/sdk/include/reactos/libs/mbedtls/ssl_cache.h @@ -26,6 +26,12 @@ #ifndef MBEDTLS_SSL_CACHE_H #define MBEDTLS_SSL_CACHE_H +#if !defined(MBEDTLS_CONFIG_FILE) +#include "config.h" +#else +#include MBEDTLS_CONFIG_FILE +#endif + #include "ssl.h" #if defined(MBEDTLS_THREADING_C) diff --git a/sdk/include/reactos/libs/mbedtls/ssl_ciphersuites.h b/sdk/include/reactos/libs/mbedtls/ssl_ciphersuites.h index d7bc190ed1d..05d8ebbce8b 100644 --- a/sdk/include/reactos/libs/mbedtls/ssl_ciphersuites.h +++ b/sdk/include/reactos/libs/mbedtls/ssl_ciphersuites.h @@ -26,6 +26,12 @@ #ifndef MBEDTLS_SSL_CIPHERSUITES_H #define MBEDTLS_SSL_CIPHERSUITES_H +#if !defined(MBEDTLS_CONFIG_FILE) +#include "config.h" +#else +#include MBEDTLS_CONFIG_FILE +#endif + #include "pk.h" #include "cipher.h" #include "md.h" diff --git a/sdk/include/reactos/libs/mbedtls/ssl_cookie.h b/sdk/include/reactos/libs/mbedtls/ssl_cookie.h index edd93516788..9f846c3e2ba 100644 --- a/sdk/include/reactos/libs/mbedtls/ssl_cookie.h +++ b/sdk/include/reactos/libs/mbedtls/ssl_cookie.h @@ -26,6 +26,12 @@ #ifndef MBEDTLS_SSL_COOKIE_H #define MBEDTLS_SSL_COOKIE_H +#if !defined(MBEDTLS_CONFIG_FILE) +#include "config.h" +#else +#include MBEDTLS_CONFIG_FILE +#endif + #include "ssl.h" #if defined(MBEDTLS_THREADING_C) diff --git a/sdk/include/reactos/libs/mbedtls/ssl_internal.h b/sdk/include/reactos/libs/mbedtls/ssl_internal.h index 75611fd767d..44a6caff677 100644 --- a/sdk/include/reactos/libs/mbedtls/ssl_internal.h +++ b/sdk/include/reactos/libs/mbedtls/ssl_internal.h @@ -26,6 +26,12 @@ #ifndef MBEDTLS_SSL_INTERNAL_H #define MBEDTLS_SSL_INTERNAL_H +#if !defined(MBEDTLS_CONFIG_FILE) +#include "config.h" +#else +#include MBEDTLS_CONFIG_FILE +#endif + #include "ssl.h" #include "cipher.h" diff --git a/sdk/include/reactos/libs/mbedtls/ssl_ticket.h b/sdk/include/reactos/libs/mbedtls/ssl_ticket.h index c4ae9df484b..ffdc49616d4 100644 --- a/sdk/include/reactos/libs/mbedtls/ssl_ticket.h +++ b/sdk/include/reactos/libs/mbedtls/ssl_ticket.h @@ -26,6 +26,12 @@ #ifndef MBEDTLS_SSL_TICKET_H #define MBEDTLS_SSL_TICKET_H +#if !defined(MBEDTLS_CONFIG_FILE) +#include "config.h" +#else +#include MBEDTLS_CONFIG_FILE +#endif + /* * This implementation of the session ticket callbacks includes key * management, rotating the keys periodically in order to preserve forward diff --git a/sdk/include/reactos/libs/mbedtls/version.h b/sdk/include/reactos/libs/mbedtls/version.h index ea1568fbdb8..b0d49d21c4c 100644 --- a/sdk/include/reactos/libs/mbedtls/version.h +++ b/sdk/include/reactos/libs/mbedtls/version.h @@ -42,16 +42,16 @@ */ #define MBEDTLS_VERSION_MAJOR 2 #define MBEDTLS_VERSION_MINOR 7 -#define MBEDTLS_VERSION_PATCH 9 +#define MBEDTLS_VERSION_PATCH 10 /** * The single version number has the following structure: * MMNNPP00 * Major version | Minor version | Patch version */ -#define MBEDTLS_VERSION_NUMBER 0x02070900 -#define MBEDTLS_VERSION_STRING "2.7.9" -#define MBEDTLS_VERSION_STRING_FULL "mbed TLS 2.7.9" +#define MBEDTLS_VERSION_NUMBER 0x02070A00 +#define MBEDTLS_VERSION_STRING "2.7.10" +#define MBEDTLS_VERSION_STRING_FULL "mbed TLS 2.7.10" #if defined(MBEDTLS_VERSION_C) diff --git a/sdk/include/reactos/libs/mbedtls/x509_csr.h b/sdk/include/reactos/libs/mbedtls/x509_csr.h index 82a24c548d3..9acbe243a0f 100644 --- a/sdk/include/reactos/libs/mbedtls/x509_csr.h +++ b/sdk/include/reactos/libs/mbedtls/x509_csr.h @@ -207,6 +207,14 @@ void mbedtls_x509write_csr_set_md_alg( mbedtls_x509write_csr *ctx, mbedtls_md_ty * \param key_usage key usage flags to set * * \return 0 if successful, or MBEDTLS_ERR_X509_ALLOC_FAILED + * + * \note The decipherOnly flag from the Key Usage + * extension is represented by bit 8 (i.e. + * 0x8000), which cannot typically be represented + * in an unsigned char. Therefore, the flag + * decipherOnly (i.e. + * #MBEDTLS_X509_KU_DECIPHER_ONLY) cannot be set using this + * function. */ int mbedtls_x509write_csr_set_key_usage( mbedtls_x509write_csr *ctx, unsigned char key_usage ); -- 2.17.1