Add initial mbedTLS v4 support

Makefile.am

@@ -63,7 +63,7 @@ cppcheck:
 		--enable=warning,style,performance,portability,unusedFunction,missingInclude \
 		--inconclusive \
 		--template="warning: {file},{line},{severity},{id},{message}" \
-		-I headers -I . -I $(top_srcdir)/others -I $(top_srcdir)/src -I $(top_srcdir)/others/mbedtls/include \
+		-I headers -I . -I $(top_srcdir)/others -I $(top_srcdir)/src -I $(top_srcdir)/others/mbedtls/include -I $(top_srcdir)/others/mbedtls/tf-psa-crypto/include -I $(top_srcdir)/others/mbedtls/tf-psa-crypto/drivers/builtin/include \
 		--error-exitcode=1 \
 		-i "src/parser/seclang-parser.cc" -i "src/parser/seclang-scanner.cc" \
 		-i others \
@@ -99,4 +99,3 @@ pkgconfig_DATA = modsecurity.pc
 EXTRA_DIST = modsecurity.pc.in \
              modsecurity.conf-recommended \
              unicode.mapping
-

build/win32/CMakeLists.txt

@@ -51,10 +51,32 @@ target_compile_definitions(libinjection PRIVATE LIBINJECTION_VERSION="${LIBINJEC
 project(mbedcrypto C)
 
 set(MBEDTLS_DIR ${BASE_DIR}/others/mbedtls)
+set(TF_PSA_CRYPTO_DIR ${MBEDTLS_DIR}/tf-psa-crypto)
+
+add_library(mbedcrypto STATIC
+  ${TF_PSA_CRYPTO_DIR}/utilities/base64.c
+  ${TF_PSA_CRYPTO_DIR}/utilities/constant_time.c
+  ${TF_PSA_CRYPTO_DIR}/platform/platform_util.c
+  ${TF_PSA_CRYPTO_DIR}/extras/md.c
+  ${TF_PSA_CRYPTO_DIR}/drivers/builtin/src/md5.c
+  ${TF_PSA_CRYPTO_DIR}/drivers/builtin/src/sha1.c
+  ${TF_PSA_CRYPTO_DIR}/drivers/builtin/src/sha256.c
+  ${TF_PSA_CRYPTO_DIR}/drivers/builtin/src/sha512.c
+  ${TF_PSA_CRYPTO_DIR}/drivers/builtin/src/sha3.c
+  ${TF_PSA_CRYPTO_DIR}/drivers/builtin/src/ripemd160.c
+  ${TF_PSA_CRYPTO_DIR}/drivers/builtin/src/psa_util_internal.c
+)
 
-add_library(mbedcrypto STATIC ${MBEDTLS_DIR}/library/base64.c ${MBEDTLS_DIR}/library/sha1.c ${MBEDTLS_DIR}/library/md5.c ${MBEDTLS_DIR}/library/platform_util.c ${MBEDTLS_DIR}/library/constant_time.c)
-
-target_include_directories(mbedcrypto PRIVATE ${MBEDTLS_DIR}/include)
+target_include_directories(mbedcrypto PRIVATE
+  ${MBEDTLS_DIR}/include
+  ${TF_PSA_CRYPTO_DIR}/include
+  ${TF_PSA_CRYPTO_DIR}/core
+  ${TF_PSA_CRYPTO_DIR}/extras
+  ${TF_PSA_CRYPTO_DIR}/library
+  ${TF_PSA_CRYPTO_DIR}/utilities
+  ${TF_PSA_CRYPTO_DIR}/drivers/builtin/include
+  ${TF_PSA_CRYPTO_DIR}/drivers/builtin/src
+)
 
 # get mbedtls version with git describe
 execute_process(
@@ -72,7 +94,7 @@ message("-- Detecting Mbed TLS version - ${MBEDTLS_VERSION}")
 
 project(libModSecurity
     VERSION
-        3.0.12
+        3.0.14
     LANGUAGES
         CXX
 )
@@ -137,7 +159,7 @@ file(GLOB_RECURSE libModSecuritySources ${BASE_DIR}/src/*.cc)
 add_library(libModSecurity SHARED ${libModSecuritySources})
 
 target_compile_definitions(libModSecurity PRIVATE WITH_PCRE2)
-target_include_directories(libModSecurity PRIVATE ${BASE_DIR} ${BASE_DIR}/headers ${BASE_DIR}/others ${MBEDTLS_DIR}/include)
+target_include_directories(libModSecurity PRIVATE ${BASE_DIR} ${BASE_DIR}/headers ${BASE_DIR}/others ${MBEDTLS_DIR}/include ${TF_PSA_CRYPTO_DIR}/include ${TF_PSA_CRYPTO_DIR}/drivers/builtin/include)
 target_link_libraries(libModSecurity PRIVATE pcre2::pcre2 libinjection mbedcrypto Poco::Poco Iphlpapi.lib)
 
 macro(add_package_dependency project compile_definition link_library flag)

build/win32/conanfile.txt

@@ -1,13 +1,13 @@
 [requires]
 yajl/2.1.0
-pcre2/10.42
-libxml2/2.12.6
-lua/5.4.6
-libcurl/8.6.0
-lmdb/0.9.31
-libmaxminddb/1.9.1
+pcre2/10.44
+libxml2/2.15.2
+lua/5.5.0
+libcurl/8.19.0
+lmdb/0.9.32
+libmaxminddb/1.12.2
 dirent/1.24
-poco/1.13.3
+poco/1.14.2
 
 [generators]
 CMakeDeps

build/win32/docker/Dockerfile

@@ -24,7 +24,7 @@ RUN C:\TEMP\InstallBuildTools.cmd C:\TEMP\vs_buildtools.exe --quiet --wait --nor
     --installPath C:\BuildTools
 
 # download & install GIT
-ARG GIT_VERSION=2.44.0
+ARG GIT_VERSION=2.53.0
 ARG GIT_BINARY=Git-${GIT_VERSION}-64-bit.exe
 ARG GIT_URL=https://github.com/git-for-windows/git/releases/download/v${GIT_VERSION}.windows.1/${GIT_BINARY}
 
@@ -35,7 +35,7 @@ RUN %INSTALLER% /SP- /VERYSILENT /SUPPRESSMSGBOXES /NOCANCEL `
     /NORESTART /CLOSEAPPLICATIONS /RESTARTAPPLICATIONS /LOADINF=git.inf
 
 # download & setup conan
-ARG CONAN_VERSION=2.10.2
+ARG CONAN_VERSION=2.27.1
 ARG CONAN_BINARY=conan-${CONAN_VERSION}-windows-x86_64-installer.exe
 ARG CONAN_URL=https://github.com/conan-io/conan/releases/download/${CONAN_VERSION}/${CONAN_BINARY}
 
@@ -87,7 +87,7 @@ RUN cmd.exe /C copy "C:\Program Files\GIT\usr\bin" \bin > NUL
 RUN cmd.exe /C copy "C:\Program Files\GIT\usr\bin\echo.exe" \bin\echo > NUL
 
 # disable tests that don't work on windows
-ARG JQ_VERSION=1.7.1
+ARG JQ_VERSION=1.8.1
 ARG JQ_BINARY=jq-windows-amd64.exe
 ARG JQ_URL=https://github.com/jqlang/jq/releases/download/jq-${JQ_VERSION}/${JQ_BINARY}
 

configure.ac

@@ -84,7 +84,7 @@ AC_DEFUN([LIBINJECTION_VERSION], m4_esyscmd_s(cd "others/libinjection" && git de
 AC_SUBST([LIBINJECTION_VERSION])
 
 # Check for Mbed TLS
-if ! test -f "${srcdir}/others/mbedtls/library/base64.c"; then
+if ! test -f "${srcdir}/others/mbedtls/tf-psa-crypto/utilities/base64.c"; then
 AC_MSG_ERROR([\
 
 
@@ -532,4 +532,3 @@ if test "$aflFuzzer" = "true"; then
     echo "  $ export CC=afl-clang-fast "
     echo " "
 fi
-

others/Makefile.am

@@ -16,19 +16,25 @@ noinst_HEADERS = \
 	libinjection/src/libinjection_sqli_data.h \
 	libinjection/src/libinjection_xss.h \
 	libinjection/src/libinjection_error.h \
-	mbedtls/include/mbedtls/base64.h \
-	mbedtls/include/mbedtls/check_config.h \
+	mbedtls/tf-psa-crypto/include/mbedtls/base64.h \
+	mbedtls/tf-psa-crypto/core/check_crypto_config.h \
 	mbedtls/include/mbedtls/mbedtls_config.h \
-	mbedtls/include/mbedtls/md5.h \
-	mbedtls/include/mbedtls/platform.h \
-	mbedtls/include/mbedtls/sha1.h
+	mbedtls/tf-psa-crypto/include/mbedtls/md.h \
+	mbedtls/tf-psa-crypto/include/mbedtls/platform.h
 
 libmbedtls_la_SOURCES = \
-	mbedtls/library/base64.c \
-	mbedtls/library/md5.c \
-	mbedtls/library/sha1.c \
-	mbedtls/library/platform_util.c
+	mbedtls/tf-psa-crypto/utilities/base64.c \
+	mbedtls/tf-psa-crypto/utilities/constant_time.c \
+	mbedtls/tf-psa-crypto/platform/platform_util.c \
+	mbedtls/tf-psa-crypto/extras/md.c \
+	mbedtls/tf-psa-crypto/drivers/builtin/src/md5.c \
+	mbedtls/tf-psa-crypto/drivers/builtin/src/sha1.c \
+	mbedtls/tf-psa-crypto/drivers/builtin/src/sha256.c \
+	mbedtls/tf-psa-crypto/drivers/builtin/src/sha512.c \
+	mbedtls/tf-psa-crypto/drivers/builtin/src/sha3.c \
+	mbedtls/tf-psa-crypto/drivers/builtin/src/ripemd160.c \
+	mbedtls/tf-psa-crypto/drivers/builtin/src/psa_util_internal.c
 
-libmbedtls_la_CFLAGS = -DMBEDTLS_CONFIG_FILE=\"mbedtls/mbedtls_config.h\" -I$(top_srcdir)/others/mbedtls/include
+libmbedtls_la_CFLAGS = -DMBEDTLS_CONFIG_FILE=\"mbedtls/mbedtls_config.h\" -I$(top_srcdir)/others/mbedtls/include -I$(top_srcdir)/others/mbedtls/tf-psa-crypto/include -I$(top_srcdir)/others/mbedtls/tf-psa-crypto/core -I$(top_srcdir)/others/mbedtls/tf-psa-crypto/extras -I$(top_srcdir)/others/mbedtls/tf-psa-crypto/library -I$(top_srcdir)/others/mbedtls/tf-psa-crypto/utilities -I$(top_srcdir)/others/mbedtls/tf-psa-crypto/drivers/builtin/include -I$(top_srcdir)/others/mbedtls/tf-psa-crypto/drivers/builtin/src
 libmbedtls_la_CPPFLAGS =
 libmbedtls_la_LIBADD =

src/Makefile.am

@@ -297,6 +297,8 @@ libmodsecurity_la_CPPFLAGS = \
 	-g \
 	-I$(top_srcdir)/others \
 	-I$(top_srcdir)/others/mbedtls/include \
+	-I$(top_srcdir)/others/mbedtls/tf-psa-crypto/include \
+	-I$(top_srcdir)/others/mbedtls/tf-psa-crypto/drivers/builtin/include \
 	-fPIC \
 	-O3 \
 	-I$(top_srcdir)/headers \
@@ -344,4 +346,3 @@ libmodsecurity_la_LIBADD = \
 	$(MAXMIND_LDADD) \
 	$(SSDEEP_LDADD) \
 	$(YAJL_LDADD)
-

src/utils/md5.h

@@ -17,16 +17,15 @@
 #define SRC_UTILS_MD5_H_
 
 #include "src/utils/sha1.h"
-#include "mbedtls/md5.h"
 #include <string>
 
 namespace modsecurity::Utils {
 
 
-class Md5 : public DigestImpl<&mbedtls_md5, 16> {
+class Md5 : public DigestImpl<MBEDTLS_MD_MD5, 16> {
 };
 
 
 }  // namespace modsecurity::Utils
 
-#endif  // SRC_UTILS_MD5_H_
+#endif  // SRC_UTILS_MD5_H_

src/utils/sha1.h

@@ -3,7 +3,7 @@
  * Copyright (c) 2015 - 2021 Trustwave Holdings, Inc. (http://www.trustwave.com/)
  *
  * You may not use this file except in compliance with
- * the License.  You may obtain a copy of the License at
+ * the License. You may obtain a copy of the License at
  *
  *     http://www.apache.org/licenses/LICENSE-2.0
  *
@@ -16,60 +16,102 @@
 #ifndef SRC_UTILS_SHA1_H_
 #define SRC_UTILS_SHA1_H_
 
-#include <string>
+#include <array>
 #include <cassert>
+#include <cstddef>
+#include <exception>
+#include <string>
+#include <string_view>
 
 #include "src/utils/string.h"
-#include "mbedtls/sha1.h"
+#include "mbedtls/md.h"
 
 namespace modsecurity::Utils {
 
+class DigestCalculationException : public std::exception {
+ public:
+    explicit DigestCalculationException(const char *message)
+        : m_message(message) { }
+
+    const char *what() const noexcept override {
+        return m_message.c_str();
+    }
 
-using DigestOp = int (*)(const unsigned char *, size_t, unsigned char []);
+ private:
+    std::string m_message;
+};
 
 
-template<DigestOp digestOp, int DigestSize>
+template<mbedtls_md_type_t DigestType, int DigestSize>
 class DigestImpl {
  public:
-
     static std::string digest(const std::string& input) {
-        return digestHelper(input, [](const auto digest) { 
-            return std::string(digest);
-        });
+        try {
+            const auto digestBytes = calculateDigest(input);
+            return std::string(digestBytes.begin(), digestBytes.end());
+        } catch (const DigestCalculationException&) {
+            assert(false);
+            return std::string(DigestSize, '\0');
+        }
     }
 
     static void digestReplace(std::string& value) {
-        digestHelper(value, [&value](const auto digest) mutable { 
-            value = digest;
-        });
+        try {
+            const auto digestBytes = calculateDigest(value);
+            value.assign(digestBytes.begin(), digestBytes.end());
+        } catch (const DigestCalculationException&) {
+            assert(false);
+            value.assign(DigestSize, '\0');
+        }
     }
 
-    static std::string hexdigest(const std::string &input) {
-        return digestHelper(input, [](const auto digest) { 
-            return utils::string::string_to_hex(digest);
-        });
+    static std::string hexdigest(const std::string& input) {
+        try {
+            const auto digestBytes = calculateDigest(input);
+            const auto *digestByteData =
+                static_cast<const std::byte *>(static_cast<const void *>(digestBytes.data()));
+            return utils::string::string_to_hex(
+                digestByteData, digestBytes.size());
+        } catch (const DigestCalculationException&) {
+            assert(false);
+            const std::array<unsigned char, DigestSize> digestBytes = {};
+            const auto *digestByteData =
+                static_cast<const std::byte *>(static_cast<const void *>(digestBytes.data()));
+            return utils::string::string_to_hex(
+                digestByteData, digestBytes.size());
+        }
     }
 
-private:
-
-    template<typename ConvertOp>
-    static auto digestHelper(const std::string &input,
-        ConvertOp convertOp) -> auto {
-        char digest[DigestSize];
-
-        const auto ret = (*digestOp)(reinterpret_cast<const unsigned char *>(input.c_str()),
-                 input.size(), reinterpret_cast<unsigned char *>(digest));
-        assert(ret == 0);
-
-        return convertOp(std::string_view(digest, DigestSize));
+ private:
+    static std::array<unsigned char, DigestSize> calculateDigest(
+        std::string_view input) {
+        std::array<unsigned char, DigestSize> digestBytes = {};
+
+        const mbedtls_md_info_t *mdInfo = mbedtls_md_info_from_type(DigestType);
+        if (mdInfo == nullptr) {
+            throw DigestCalculationException(
+                "mbedtls_md_info_from_type() returned nullptr");
+        }
+
+        const auto *inputBytes =
+            static_cast<const unsigned char *>(static_cast<const void *>(input.data()));
+
+        if (const int ret = mbedtls_md(
+                mdInfo,
+                inputBytes,
+                input.size(),
+                digestBytes.data()); ret != 0) {
+            throw DigestCalculationException("mbedtls_md() failed");
+        }
+
+        return digestBytes;
     }
 };
 
 
-class Sha1 : public DigestImpl<&mbedtls_sha1, 20> {
+class Sha1 : public DigestImpl<MBEDTLS_MD_SHA1, 20> {
 };
 
-
 }  // namespace modsecurity::Utils
 
 #endif  // SRC_UTILS_SHA1_H_

src/utils/string.h

@@ -16,6 +16,7 @@
 #ifndef SRC_UTILS_STRING_H_
 #define SRC_UTILS_STRING_H_
 
+#include <cstddef>
 #include <ctime>
 #include <string>
 #include <cstring>
@@ -241,6 +242,29 @@ inline unsigned char *c2x(unsigned what, unsigned char *where) {
 }
 
 
+inline std::string string_to_hex(const std::byte *input, size_t size) {
+    static const char* const lut = "0123456789abcdef";
+
+    std::string a(size*2, 0);
+    char *d = a.data();
+
+    for (size_t i = 0; i < size; ++i) {
+        const std::byte b = input[i];
+        *d++ = lut[std::to_integer<unsigned>(b >> 4)];
+        *d++ = lut[std::to_integer<unsigned>(b & std::byte{0x0F})];
+    }
+
+    return a;
+}
+
+
+inline std::string string_to_hex(const unsigned char *input, size_t size) {
+    return string_to_hex(
+        static_cast<const std::byte *>(static_cast<const void *>(input)),
+        size);
+}
+
+
 inline std::string string_to_hex(std::string_view input) {
     static const char* const lut = "0123456789abcdef";