Skip to content

Add initial mbedTLS v4 support#3532

Open
Easton97-Jens wants to merge 13 commits intoowasp-modsecurity:v3/masterfrom
Easton97-Jens:v3/master-mbedtl-v4
Open

Add initial mbedTLS v4 support#3532
Easton97-Jens wants to merge 13 commits intoowasp-modsecurity:v3/masterfrom
Easton97-Jens:v3/master-mbedtl-v4

Conversation

@Easton97-Jens
Copy link
Copy Markdown
Contributor

@Easton97-Jens Easton97-Jens commented Apr 2, 2026

what

  • Added initial support for Mbed TLS 4.x (TF-PSA-Crypto layout)
  • Updated build system (autotools + CMake) to use new TF-PSA include paths and sources
  • Replaced direct usage of deprecated/removed headers (md5.h, sha1.h) with generic mbedtls_md API
  • Adjusted include paths and compiler flags to match the new directory structure
  • Updated detection logic in configure.ac to work with Mbed TLS 4.x layout
  • Ensured compatibility without changing external targets or package discovery behavior

why

  • Mbed TLS 4.x introduces breaking changes and a new internal layout (TF-PSA-Crypto)
  • Previous build logic relied on files like library/base64.c which no longer exist in 4.x
  • This caused build failures during ./configure and compilation
  • These changes allow ModSecurity to build successfully with modern Mbed TLS versions
  • Keeps changes minimal and backward-compatible with existing build expectations

references

@airween airween requested a review from Copilot April 2, 2026 17:54
Copilot AI reviewed Apr 2, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds initial build/runtime compatibility with Mbed TLS 4.x’s TF-PSA-Crypto layout by updating bundled Mbed TLS paths/sources and migrating MD5/SHA1 hashing to the generic mbedtls_md API.

Changes:

  • Switch MD5/SHA1 helpers from deprecated per-hash headers/functions to mbedtls_md (mbedtls/md.h + mbedtls_md()).
  • Update autotools build files to include TF-PSA-Crypto include paths and compile the new TF-PSA-Crypto source locations.
  • Update Win32 CMake build to compile the TF-PSA-Crypto source set and adjust include directories accordingly.

Reviewed changes

Copilot reviewed 8 out of 8 changed files in this pull request and generated 2 comments.

Show a summary per file
File Description
src/utils/sha1.h Migrates digest implementation to generic mbedtls_md API.
src/utils/md5.h Updates MD5 wrapper to use the updated DigestImpl template.
src/Makefile.am Adds TF-PSA-Crypto include paths for libmodsecurity compilation.
others/Makefile.am Repoints bundled Mbed TLS subset headers/sources to TF-PSA-Crypto layout.
Makefile.am Extends cppcheck include paths for TF-PSA-Crypto headers.
configure.ac Updates configure-time check to detect TF-PSA-Crypto base64 source path.
build/win32/CMakeLists.txt Rebuilds bundled crypto subset from TF-PSA-Crypto sources and updates include dirs.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread src/utils/sha1.h Outdated
Comment thread src/utils/sha1.h Outdated
@airween
Copy link
Copy Markdown
Member

airween commented Apr 3, 2026

Hi @Easton97-Jens,

there are two SonarCloud reports in sha1.cc file, please take a look at them.

@airween airween requested a review from Copilot April 3, 2026 12:01
Copilot AI reviewed Apr 3, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 8 out of 8 changed files in this pull request and generated 1 comment.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread src/utils/sha1.h Outdated
@Easton97-Jens
Refactor and improve SHA1 digest handling and mbedtls integration
c43e0c8 
- Migrate to TF-PSA-Crypto layout
- Fix include and linkage issues
- Harden runtime checks
- Improve error and exception handling
- Refactor digest helper and buffer usage
@airween airween requested a review from Copilot April 18, 2026 15:43
Copilot AI reviewed Apr 18, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 8 out of 8 changed files in this pull request and generated 3 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread src/utils/sha1.h Outdated
Comment thread src/utils/sha1.h Outdated
Comment thread src/utils/sha1.h Outdated
Easton97-Jens and others added 3 commits April 18, 2026 17:49
@Easton97-Jens
Merge branch 'v3/master' into v3/master-mbedtl-v4
759843d
@Easton97-Jens
Update Makefile.am
6afa94b
@Easton97-Jens
sha1/md5: fix exception safety, remove copy, and own exception message
d713740 
sha1/md5: fix exception safety, remove copy, and own exception message

sha1/md5: fix exception safety, remove copy, and own exception message

sha1/md5: fix exception safety, remove copy, and own exception message

sha1/md5: fix exception safety, remove copy, and own exception message

win update

win update
@airween airween requested a review from Copilot April 22, 2026 15:32
@airween airween added the 3.x Related to ModSecurity version 3.x label Apr 22, 2026
Copilot AI reviewed Apr 22, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 11 out of 11 changed files in this pull request and generated 6 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread src/utils/sha1.h Outdated
Comment thread src/utils/sha1.h Outdated
Comment thread src/utils/sha1.h Outdated
Comment thread configure.ac
Comment thread build/win32/CMakeLists.txt
Comment thread build/win32/CMakeLists.txt
@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud Bot commented Apr 25, 2026

Quality Gate Passed Quality Gate passed

Issues
5 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@Easton97-Jens
Update README.md
bfb8b19 
Update README.md

Update README.md

Update README.md

Update README.md

Update README.md

Update README.md

Update dependencies in README for Windows build

Update lmdb version to 0.9.32 in README

Update README.md

Update README.md
@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud Bot commented Apr 25, 2026

❌ The last analysis has failed.

See analysis details on SonarQube Cloud

@Easton97-Jens Easton97-Jens requested a review from airween April 25, 2026 17:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@airween airween Awaiting requested review from airween

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

3.x Related to ModSecurity version 3.x

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Build fails because of missing library/base64.c when using Mbed TLS 4.x — Is support planned?

3 participants

@Easton97-Jens @airween