net.mod/libssh2.mod/patches/mbedtls_3.x.patch

--- libssh2-1.10.0/src/mbedtls.c	2020-09-28 13:23:35.000000000 +0100
+++ libssh2.mod/libssh2/src/mbedtls.c	2021-12-01 20:52:58.000000000 +0000
@@ -122,10 +122,10 @@
     mbedtls_cipher_init(ctx);
     ret = mbedtls_cipher_setup(ctx, cipher_info);
     if(!ret)
-        ret = mbedtls_cipher_setkey(ctx, secret, cipher_info->key_bitlen, op);
+        ret = mbedtls_cipher_setkey(ctx, secret, cipher_info->MBEDTLS_PRIVATE(key_bitlen), op);
 
     if(!ret)
-        ret = mbedtls_cipher_set_iv(ctx, iv, cipher_info->iv_size);
+        ret = mbedtls_cipher_set_iv(ctx, iv, cipher_info->MBEDTLS_PRIVATE(iv_size));
 
     return ret == 0 ? 0 : -1;
 }
@@ -331,29 +331,29 @@
 
     ctx = (libssh2_rsa_ctx *) mbedtls_calloc(1, sizeof(libssh2_rsa_ctx));
     if(ctx != NULL) {
-        mbedtls_rsa_init(ctx, MBEDTLS_RSA_PKCS_V15, 0);
+        mbedtls_rsa_init(ctx);
     }
     else
         return -1;
 
     /* !checksrc! disable ASSIGNWITHINCONDITION 1 */
-    if((ret = mbedtls_mpi_read_binary(&(ctx->E), edata, elen) ) != 0 ||
-       (ret = mbedtls_mpi_read_binary(&(ctx->N), ndata, nlen) ) != 0) {
+    if((ret = mbedtls_mpi_read_binary(&(ctx->MBEDTLS_PRIVATE(E)), edata, elen) ) != 0 ||
+       (ret = mbedtls_mpi_read_binary(&(ctx->MBEDTLS_PRIVATE(N)), ndata, nlen) ) != 0) {
         ret = -1;
     }
 
     if(!ret) {
-        ctx->len = mbedtls_mpi_size(&(ctx->N));
+        ctx->MBEDTLS_PRIVATE(len) = mbedtls_mpi_size(&(ctx->MBEDTLS_PRIVATE(N)));
     }
 
     if(!ret && ddata) {
         /* !checksrc! disable ASSIGNWITHINCONDITION 1 */
-        if((ret = mbedtls_mpi_read_binary(&(ctx->D), ddata, dlen) ) != 0 ||
-           (ret = mbedtls_mpi_read_binary(&(ctx->P), pdata, plen) ) != 0 ||
-           (ret = mbedtls_mpi_read_binary(&(ctx->Q), qdata, qlen) ) != 0 ||
-           (ret = mbedtls_mpi_read_binary(&(ctx->DP), e1data, e1len) ) != 0 ||
-           (ret = mbedtls_mpi_read_binary(&(ctx->DQ), e2data, e2len) ) != 0 ||
-           (ret = mbedtls_mpi_read_binary(&(ctx->QP), coeffdata, coefflen) )
+        if((ret = mbedtls_mpi_read_binary(&(ctx->MBEDTLS_PRIVATE(D)), ddata, dlen) ) != 0 ||
+           (ret = mbedtls_mpi_read_binary(&(ctx->MBEDTLS_PRIVATE(P)), pdata, plen) ) != 0 ||
+           (ret = mbedtls_mpi_read_binary(&(ctx->MBEDTLS_PRIVATE(Q)), qdata, qlen) ) != 0 ||
+           (ret = mbedtls_mpi_read_binary(&(ctx->MBEDTLS_PRIVATE(DP)), e1data, e1len) ) != 0 ||
+           (ret = mbedtls_mpi_read_binary(&(ctx->MBEDTLS_PRIVATE(DQ)), e2data, e2len) ) != 0 ||
+           (ret = mbedtls_mpi_read_binary(&(ctx->MBEDTLS_PRIVATE(QP)), coeffdata, coefflen) )
            != 0) {
             ret = -1;
         }
@@ -381,14 +381,16 @@
     mbedtls_pk_context pkey;
     mbedtls_rsa_context *pk_rsa;
 
+
     *rsa = (libssh2_rsa_ctx *) LIBSSH2_ALLOC(session, sizeof(libssh2_rsa_ctx));
     if(*rsa == NULL)
         return -1;
 
-    mbedtls_rsa_init(*rsa, MBEDTLS_RSA_PKCS_V15, 0);
+    mbedtls_rsa_init(*rsa);
     mbedtls_pk_init(&pkey);
 
-    ret = mbedtls_pk_parse_keyfile(&pkey, filename, (char *)passphrase);
+    ret = mbedtls_pk_parse_keyfile(&pkey, filename, (char *)passphrase,
+    					mbedtls_ctr_drbg_random, &_libssh2_mbedtls_ctr_drbg);
     if(ret != 0 || mbedtls_pk_get_type(&pkey) != MBEDTLS_PK_RSA) {
         mbedtls_pk_free(&pkey);
         mbedtls_rsa_free(*rsa);
@@ -436,7 +438,8 @@
     pwd_len = passphrase != NULL ? strlen((const char *)passphrase) : 0;
     ret = mbedtls_pk_parse_key(&pkey, (unsigned char *)filedata_nullterm,
                                filedata_len + 1,
-                               passphrase, pwd_len);
+                               passphrase, pwd_len,
+                               mbedtls_ctr_drbg_random, &_libssh2_mbedtls_ctr_drbg);
     _libssh2_mbedtls_safe_free(filedata_nullterm, filedata_len);
 
     if(ret != 0 || mbedtls_pk_get_type(&pkey) != MBEDTLS_PK_RSA) {
@@ -468,8 +471,8 @@
     if(ret)
         return -1; /* failure */
 
-    ret = mbedtls_rsa_pkcs1_verify(rsa, NULL, NULL, MBEDTLS_RSA_PUBLIC,
-                                   MBEDTLS_MD_SHA1, SHA_DIGEST_LENGTH,
+    ret = mbedtls_rsa_pkcs1_verify(rsa,
+    							   MBEDTLS_MD_SHA1, SHA_DIGEST_LENGTH,
                                    hash, sig);
 
     return (ret == 0) ? 0 : -1;
@@ -489,13 +492,13 @@
 
     (void)hash_len;
 
-    sig_len = rsa->len;
+    sig_len = rsa->MBEDTLS_PRIVATE(len);
     sig = LIBSSH2_ALLOC(session, sig_len);
     if(!sig) {
         return -1;
     }
 
-    ret = mbedtls_rsa_pkcs1_sign(rsa, NULL, NULL, MBEDTLS_RSA_PRIVATE,
+    ret = mbedtls_rsa_pkcs1_sign(rsa, NULL, NULL,
                                  MBEDTLS_MD_SHA1, SHA_DIGEST_LENGTH,
                                  hash, sig);
     if(ret) {
@@ -526,8 +529,8 @@
     unsigned char *key;
     unsigned char *p;
 
-    e_bytes = mbedtls_mpi_size(&rsa->E);
-    n_bytes = mbedtls_mpi_size(&rsa->N);
+    e_bytes = mbedtls_mpi_size(&rsa->MBEDTLS_PRIVATE(E));
+    n_bytes = mbedtls_mpi_size(&rsa->MBEDTLS_PRIVATE(N));
 
     /* Key form is "ssh-rsa" + e + n. */
     len = 4 + 7 + 4 + e_bytes + 4 + n_bytes;
@@ -547,11 +550,11 @@
 
     _libssh2_htonu32(p, e_bytes);
     p += 4;
-    mbedtls_mpi_write_binary(&rsa->E, p, e_bytes);
+    mbedtls_mpi_write_binary(&rsa->MBEDTLS_PRIVATE(E), p, e_bytes);
 
     _libssh2_htonu32(p, n_bytes);
     p += 4;
-    mbedtls_mpi_write_binary(&rsa->N, p, n_bytes);
+    mbedtls_mpi_write_binary(&rsa->MBEDTLS_PRIVATE(N), p, n_bytes);
 
     *keylen = (size_t)(p - key);
     return key;
@@ -623,7 +626,8 @@
     int ret;
 
     mbedtls_pk_init(&pkey);
-    ret = mbedtls_pk_parse_keyfile(&pkey, privatekey, passphrase);
+    ret = mbedtls_pk_parse_keyfile(&pkey, privatekey, passphrase,
+                               mbedtls_ctr_drbg_random, &_libssh2_mbedtls_ctr_drbg);
     if(ret != 0) {
         mbedtls_strerror(ret, (char *)buf, sizeof(buf));
         mbedtls_pk_free(&pkey);
@@ -670,7 +674,8 @@
     ret = mbedtls_pk_parse_key(&pkey,
                                (unsigned char *)privatekeydata_nullterm,
                                privatekeydata_len + 1,
-                               (const unsigned char *)passphrase, pwd_len);
+                               (const unsigned char *)passphrase, pwd_len,
+                               mbedtls_ctr_drbg_random, &_libssh2_mbedtls_ctr_drbg);
     _libssh2_mbedtls_safe_free(privatekeydata_nullterm, privatekeydata_len);
 
     if(ret != 0) {
@@ -766,13 +771,13 @@
                             &_libssh2_mbedtls_ctr_drbg) != 0)
         goto failed;
 
-    plen = 2 * mbedtls_mpi_size(&(*privkey)->grp.P) + 1;
+    plen = 2 * mbedtls_mpi_size(&(*privkey)->MBEDTLS_PRIVATE(grp).P) + 1;
     *pubkey_oct = LIBSSH2_ALLOC(session, plen);
 
     if(*pubkey_oct == NULL)
         goto failed;
 
-    if(mbedtls_ecp_point_write_binary(&(*privkey)->grp, &(*privkey)->Q,
+    if(mbedtls_ecp_point_write_binary(&(*privkey)->MBEDTLS_PRIVATE(grp), &(*privkey)->MBEDTLS_PRIVATE(Q),
                                       MBEDTLS_ECP_PF_UNCOMPRESSED,
                                       pubkey_oct_len, *pubkey_oct, plen) == 0)
         return 0;
@@ -805,13 +810,13 @@
 
     mbedtls_ecdsa_init(*ctx);
 
-    if(mbedtls_ecp_group_load(&(*ctx)->grp, (mbedtls_ecp_group_id)curve) != 0)
+    if(mbedtls_ecp_group_load(&(*ctx)->MBEDTLS_PRIVATE(grp), (mbedtls_ecp_group_id)curve) != 0)
         goto failed;
 
-    if(mbedtls_ecp_point_read_binary(&(*ctx)->grp, &(*ctx)->Q, k, k_len) != 0)
+    if(mbedtls_ecp_point_read_binary(&(*ctx)->MBEDTLS_PRIVATE(grp), &(*ctx)->MBEDTLS_PRIVATE(Q), k, k_len) != 0)
         goto failed;
 
-    if(mbedtls_ecp_check_pubkey(&(*ctx)->grp, &(*ctx)->Q) == 0)
+    if(mbedtls_ecp_check_pubkey(&(*ctx)->MBEDTLS_PRIVATE(grp), &(*ctx)->MBEDTLS_PRIVATE(Q)) == 0)
         return 0;
 
 failed:
@@ -842,21 +847,21 @@
 
     mbedtls_ecp_point_init(&pubkey);
 
-    if(mbedtls_ecp_point_read_binary(&privkey->grp, &pubkey,
+    if(mbedtls_ecp_point_read_binary(&privkey->MBEDTLS_PRIVATE(grp), &pubkey,
                                      server_pubkey, server_pubkey_len) != 0) {
         rc = -1;
         goto cleanup;
     }
 
-    if(mbedtls_ecdh_compute_shared(&privkey->grp, *k,
-                                   &pubkey, &privkey->d,
+    if(mbedtls_ecdh_compute_shared(&privkey->MBEDTLS_PRIVATE(grp), *k,
+                                   &pubkey, &privkey->MBEDTLS_PRIVATE(d),
                                    mbedtls_ctr_drbg_random,
                                    &_libssh2_mbedtls_ctr_drbg) != 0) {
         rc = -1;
         goto cleanup;
     }
 
-    if(mbedtls_ecp_check_privkey(&privkey->grp, *k) != 0)
+    if(mbedtls_ecp_check_privkey(&privkey->MBEDTLS_PRIVATE(grp), *k) != 0)
         rc = -1;
 
 cleanup:
@@ -871,9 +876,9 @@
     unsigned char hsh[SHA##digest_type##_DIGEST_LENGTH];            \
                                                                     \
     if(libssh2_sha##digest_type(m, m_len, hsh) == 0) {              \
-        rc = mbedtls_ecdsa_verify(&ctx->grp, hsh,                   \
+        rc = mbedtls_ecdsa_verify(&ctx->MBEDTLS_PRIVATE(grp), hsh,                   \
                                   SHA##digest_type##_DIGEST_LENGTH, \
-                                  &ctx->Q, &pr, &ps);               \
+                                  &ctx->MBEDTLS_PRIVATE(Q), &pr, &ps);               \
     }                                                               \
                                                                     \
 }
@@ -936,7 +941,8 @@
 
     pwd_len = pwd ? strlen((const char *) pwd) : 0;
 
-    if(mbedtls_pk_parse_key(pkey, data, data_len, pwd, pwd_len) != 0)
+    if(mbedtls_pk_parse_key(pkey, data, data_len, pwd, pwd_len,
+                               mbedtls_ctr_drbg_random, &_libssh2_mbedtls_ctr_drbg) != 0)
         goto failed;
 
     if(mbedtls_pk_get_type(pkey) != MBEDTLS_PK_ECKEY)
@@ -1001,19 +1007,19 @@
 
     mbedtls_ecdsa_init(*ctx);
 
-    if(mbedtls_ecp_group_load(&(*ctx)->grp, (mbedtls_ecp_group_id)type) != 0)
+    if(mbedtls_ecp_group_load(&(*ctx)->MBEDTLS_PRIVATE(grp), (mbedtls_ecp_group_id)type) != 0)
         goto failed;
 
-    if(mbedtls_mpi_read_binary(&(*ctx)->d, exponent, exponentlen) != 0)
+    if(mbedtls_mpi_read_binary(&(*ctx)->MBEDTLS_PRIVATE(d), exponent, exponentlen) != 0)
         goto failed;
 
-    if(mbedtls_ecp_mul(&(*ctx)->grp, &(*ctx)->Q,
-                       &(*ctx)->d, &(*ctx)->grp.G,
+    if(mbedtls_ecp_mul(&(*ctx)->MBEDTLS_PRIVATE(grp), &(*ctx)->MBEDTLS_PRIVATE(Q),
+                       &(*ctx)->MBEDTLS_PRIVATE(d), &(*ctx)->MBEDTLS_PRIVATE(grp).G,
                        mbedtls_ctr_drbg_random,
                        &_libssh2_mbedtls_ctr_drbg) != 0)
         goto failed;
 
-    if(mbedtls_ecp_check_privkey(&(*ctx)->grp, &(*ctx)->d) == 0)
+    if(mbedtls_ecp_check_privkey(&(*ctx)->MBEDTLS_PRIVATE(grp), &(*ctx)->MBEDTLS_PRIVATE(d)) == 0)
         goto cleanup;
 
 failed:
@@ -1157,7 +1163,7 @@
     mbedtls_mpi_init(&pr);
     mbedtls_mpi_init(&ps);
 
-    if(mbedtls_ecdsa_sign(&ctx->grp, &pr, &ps, &ctx->d,
+    if(mbedtls_ecdsa_sign(&ctx->MBEDTLS_PRIVATE(grp), &pr, &ps, &ctx->MBEDTLS_PRIVATE(d),
                           hash, hash_len,
                           mbedtls_ctr_drbg_random,
                           &_libssh2_mbedtls_ctr_drbg) != 0)
@@ -1204,7 +1210,7 @@
 libssh2_curve_type
 _libssh2_mbedtls_ecdsa_get_curve_type(libssh2_ecdsa_ctx *ctx)
 {
-    return (libssh2_curve_type) ctx->grp.id;
+    return (libssh2_curve_type) ctx->MBEDTLS_PRIVATE(grp).id;
 }
 
 /* _libssh2_ecdsa_curve_type_from_name

--- libssh2-1.10.0/src/mbedtls.h	2020-09-28 13:23:35.000000000 +0100
+++ libssh2.mod/libssh2/src/mbedtls.h	2021-11-30 20:54:52.000000000 +0000
@@ -65,12 +65,12 @@
 
 #define LIBSSH2_AES             1
 #define LIBSSH2_AES_CTR         1
-#define LIBSSH2_BLOWFISH        1
-#define LIBSSH2_RC4             1
+#define LIBSSH2_BLOWFISH        0
+#define LIBSSH2_RC4             0
 #define LIBSSH2_CAST            0
 #define LIBSSH2_3DES            1
 
-#define LIBSSH2_RSA             1
+#define LIBSSH2_RSA             0
 #define LIBSSH2_DSA             0
 #ifdef MBEDTLS_ECDSA_C
 # define LIBSSH2_ECDSA          1