Skip to content

Add initial mbedTLS v4 support #3477

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Easton97-Jens wants to merge 15 commits into
base: v3/master
Choose a base branch
from
Open

Add initial mbedTLS v4 support #3477

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
15 commits
Select commit Hold shift + click to select a range
f132bb3
Pin mbedtls submodule to v4.0.0
Dec 17, 2025
ba24754
Update all submodules
Dec 17, 2025
812174d
Update mbedtl-v4
Dec 17, 2025
01c3a2f
Revert "Update all submodules"
Dec 21, 2025
23e513c
WIP: intermediate state (mbedtls v4.0.0 and updates)
Dec 21, 2025
fba1de5
Build working: update submodules and autotools files
Dec 21, 2025
a6a3a3d
auto-generate psa_crypto_driver_wrappers.h during build
Dec 25, 2025
27f8dbe
Merge branch 'owasp-modsecurity:v3/master' into v3/master-mbedtl-v4
Easton97-Jens Jan 1, 2026
2cfe164
Merge branch 'owasp-modsecurity:v3/master' into v3/master-mbedtl-v4
Easton97-Jens Jan 23, 2026
e2018dc
Change comments from German to English and reset seclang-scanner.cc
Jan 27, 2026
f506395
Modernize SHA1 implementation: std::byte, std::array, safer casts
Jan 27, 2026
c4ba2df
Fix build script permissions
Jan 27, 2026
795cf67
Delete src/parser/test.cc
Easton97-Jens Jan 27, 2026
d127722
Restore original ModSecurity license header
Jan 27, 2026
d67bf14
Fix SHA1/MD5 digest helpers to be C++17-compatible
Jan 27, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
30 changes: 25 additions & 5 deletions build.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,6 @@
#!/bin/sh

rm -rf autom4te.cache
rm -f aclocal.m4

cd src
rm -f headers.mk
echo "noinst_HEADERS = \\" > headers.mk
Expand All @@ -23,13 +21,35 @@ ls -1 \
engine/*.h \
*.h | tr "\012" " " >> headers.mk
cd ../

##############################################################################
# NEW: Automatically generate psa_crypto_driver_wrappers.h, path will be searched
##############################################################################
echo "[+] Searching for psa_crypto_driver_wrappers.h …"
if ! find . -maxdepth 10 -type f -name 'psa_crypto_driver_wrappers.h' | grep -q \
.; then
echo "[+] File not found, searching for generate_driver_wrappers.py …"
GEN_SCRIPT=$(find . -maxdepth 10 -type f -name 'generate_driver_wrappers.py' | head -n 1)
if [ -n "$GEN_SCRIPT" ]; then
GEN_DIR=$(dirname "$GEN_SCRIPT")
echo "[+] Generator script found in: $GEN_DIR"
(
cd "$GEN_DIR" || exit 1
# optional: silently install Python dependencies
python3 -m pip install --user jinja2 jsonschema >/dev/null 2>&1 || true
echo "[+] Running: python3 $(basename "$GEN_SCRIPT")"
python3 "$(basename "$GEN_SCRIPT")"
)
else
echo "[!] No generate_driver_wrappers.py found – skipping this step."
fi
else
echo "[+] psa_crypto_driver_wrappers.h already exists, nothing to do."
fi
##############################################################################
case `uname` in Darwin*) glibtoolize --force --copy ;;
*) libtoolize --force --copy ;; esac
autoreconf --install
autoheader
automake --add-missing --foreign --copy --force-missing
autoconf --force
rm -rf autom4te.cache


11 changes: 10 additions & 1 deletion configure.ac
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -77,7 +77,7 @@ AC_DEFUN([LIBINJECTION_VERSION], m4_esyscmd_s(cd "others/libinjection" && git de
AC_SUBST([LIBINJECTION_VERSION])

# Check for Mbed TLS
if ! test -f "${srcdir}/others/mbedtls/library/base64.c"; then
if ! test -f "${srcdir}/others/mbedtls/tf-psa-crypto/drivers/builtin/src/base64.c"; then
AC_MSG_ERROR([\


Expand Down Expand Up @@ -372,6 +372,15 @@ case $assertions in
esac
GLOBAL_CPPFLAGS="$GLOBAL_CPPFLAGS $ASSERTIONS_CPPCFLAGS"

MBEDTLS_CPPFLAGS='-DMBEDTLS_CONFIG_FILE=\"mbedtls/mbedtls_config.h\" \
-I$(top_srcdir)/others/mbedtls/include \
-I$(top_srcdir)/others/mbedtls/tf-psa-crypto/include \
-I$(top_srcdir)/others/mbedtls/tf-psa-crypto/drivers/builtin/include \
-I$(top_srcdir)/others/mbedtls/include \
-I$(top_srcdir)/others/mbedtls/tf-psa-crypto/core \
-I$(top_srcdir)/others/mbedtls/tf-psa-crypto/drivers/builtin/src'
GLOBAL_CPPFLAGS="$GLOBAL_CPPFLAGS $MBEDTLS_CPPFLAGS"

AC_SUBST(GLOBAL_LDADD)
AC_SUBST(GLOBAL_CPPFLAGS)

Expand Down
102 changes: 91 additions & 11 deletions others/Makefile.am
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,19 +15,99 @@ noinst_HEADERS = \
libinjection/src/libinjection_sqli.h \
libinjection/src/libinjection_sqli_data.h \
libinjection/src/libinjection_xss.h \
mbedtls/include/mbedtls/base64.h \
mbedtls/include/mbedtls/check_config.h \
mbedtls/tf-psa-crypto/include/mbedtls/base64.h \
mbedtls/tf-psa-crypto/drivers/builtin/src/check_crypto_config.h \
mbedtls/include/mbedtls/mbedtls_config.h \
mbedtls/include/mbedtls/md5.h \
mbedtls/include/mbedtls/platform.h \
mbedtls/include/mbedtls/sha1.h
mbedtls/tf-psa-crypto/drivers/builtin/include/mbedtls/private/md5.h \
mbedtls/tf-psa-crypto/include/mbedtls/platform.h \
mbedtls/tf-psa-crypto/drivers/builtin/include/mbedtls/private/sha1.h

MBED_PSA_CORE_SOURCES = \
mbedtls/tf-psa-crypto/core/psa_crypto.c \
mbedtls/tf-psa-crypto/core/psa_crypto_client.c \
mbedtls/tf-psa-crypto/core/psa_crypto_slot_management.c \
mbedtls/tf-psa-crypto/core/psa_crypto_storage.c \
mbedtls/tf-psa-crypto/core/psa_its_file.c \
mbedtls/tf-psa-crypto/core/psa_crypto_driver_wrappers_no_static.c

MBED_BUILTIN_SOURCES = \
Copy link
Member

@airween airween Jan 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let me check the new version on mbedtls, and make sure that all of these sources are necessary.

mbedtls/tf-psa-crypto/drivers/builtin/src/aes.c \
mbedtls/tf-psa-crypto/drivers/builtin/src/aesce.c \
mbedtls/tf-psa-crypto/drivers/builtin/src/aesni.c \
mbedtls/tf-psa-crypto/drivers/builtin/src/aria.c \
mbedtls/tf-psa-crypto/drivers/builtin/src/asn1parse.c \
mbedtls/tf-psa-crypto/drivers/builtin/src/asn1write.c \
mbedtls/tf-psa-crypto/drivers/builtin/src/base64.c \
mbedtls/tf-psa-crypto/drivers/builtin/src/bignum.c \
mbedtls/tf-psa-crypto/drivers/builtin/src/bignum_core.c \
mbedtls/tf-psa-crypto/drivers/builtin/src/bignum_mod.c \
mbedtls/tf-psa-crypto/drivers/builtin/src/bignum_mod_raw.c \
mbedtls/tf-psa-crypto/drivers/builtin/src/block_cipher.c \
mbedtls/tf-psa-crypto/drivers/builtin/src/camellia.c \
mbedtls/tf-psa-crypto/drivers/builtin/src/ccm.c \
mbedtls/tf-psa-crypto/drivers/builtin/src/chacha20.c \
mbedtls/tf-psa-crypto/drivers/builtin/src/chachapoly.c \
mbedtls/tf-psa-crypto/drivers/builtin/src/cipher.c \
mbedtls/tf-psa-crypto/drivers/builtin/src/cipher_wrap.c \
mbedtls/tf-psa-crypto/drivers/builtin/src/cmac.c \
mbedtls/tf-psa-crypto/drivers/builtin/src/constant_time.c \
mbedtls/tf-psa-crypto/drivers/builtin/src/ctr_drbg.c \
mbedtls/tf-psa-crypto/drivers/builtin/src/ecdh.c \
mbedtls/tf-psa-crypto/drivers/builtin/src/ecdsa.c \
mbedtls/tf-psa-crypto/drivers/builtin/src/ecjpake.c \
mbedtls/tf-psa-crypto/drivers/builtin/src/ecp.c \
mbedtls/tf-psa-crypto/drivers/builtin/src/ecp_curves.c \
mbedtls/tf-psa-crypto/drivers/builtin/src/ecp_curves_new.c \
mbedtls/tf-psa-crypto/drivers/builtin/src/entropy.c \
mbedtls/tf-psa-crypto/drivers/builtin/src/entropy_poll.c \
mbedtls/tf-psa-crypto/drivers/builtin/src/gcm.c \
mbedtls/tf-psa-crypto/drivers/builtin/src/hmac_drbg.c \
mbedtls/tf-psa-crypto/drivers/builtin/src/md.c \
mbedtls/tf-psa-crypto/drivers/builtin/src/md5.c \
mbedtls/tf-psa-crypto/drivers/builtin/src/memory_buffer_alloc.c \
mbedtls/tf-psa-crypto/drivers/builtin/src/nist_kw.c \
mbedtls/tf-psa-crypto/drivers/builtin/src/oid.c \
mbedtls/tf-psa-crypto/drivers/builtin/src/pem.c \
mbedtls/tf-psa-crypto/drivers/builtin/src/pk.c \
mbedtls/tf-psa-crypto/drivers/builtin/src/pk_ecc.c \
mbedtls/tf-psa-crypto/drivers/builtin/src/pk_rsa.c \
mbedtls/tf-psa-crypto/drivers/builtin/src/pk_wrap.c \
mbedtls/tf-psa-crypto/drivers/builtin/src/pkcs5.c \
mbedtls/tf-psa-crypto/drivers/builtin/src/pkparse.c \
mbedtls/tf-psa-crypto/drivers/builtin/src/pkwrite.c \
mbedtls/tf-psa-crypto/drivers/builtin/src/platform.c \
mbedtls/tf-psa-crypto/drivers/builtin/src/platform_util.c \
mbedtls/tf-psa-crypto/drivers/builtin/src/poly1305.c \
mbedtls/tf-psa-crypto/drivers/builtin/src/psa_crypto_aead.c \
mbedtls/tf-psa-crypto/drivers/builtin/src/psa_crypto_cipher.c \
mbedtls/tf-psa-crypto/drivers/builtin/src/psa_crypto_ecp.c \
mbedtls/tf-psa-crypto/drivers/builtin/src/psa_crypto_ffdh.c \
mbedtls/tf-psa-crypto/drivers/builtin/src/psa_crypto_hash.c \
mbedtls/tf-psa-crypto/drivers/builtin/src/psa_crypto_mac.c \
mbedtls/tf-psa-crypto/drivers/builtin/src/psa_crypto_pake.c \
mbedtls/tf-psa-crypto/drivers/builtin/src/psa_crypto_rsa.c \
mbedtls/tf-psa-crypto/drivers/builtin/src/psa_util.c \
mbedtls/tf-psa-crypto/drivers/builtin/src/ripemd160.c \
mbedtls/tf-psa-crypto/drivers/builtin/src/rsa.c \
mbedtls/tf-psa-crypto/drivers/builtin/src/rsa_alt_helpers.c \
mbedtls/tf-psa-crypto/drivers/builtin/src/sha1.c \
mbedtls/tf-psa-crypto/drivers/builtin/src/sha256.c \
mbedtls/tf-psa-crypto/drivers/builtin/src/sha3.c \
mbedtls/tf-psa-crypto/drivers/builtin/src/sha512.c \
mbedtls/tf-psa-crypto/drivers/builtin/src/threading.c

libmbedtls_la_SOURCES = \
mbedtls/library/base64.c \
mbedtls/library/md5.c \
mbedtls/library/sha1.c \
mbedtls/library/platform_util.c
$(MBED_PSA_CORE_SOURCES) \
$(MBED_BUILTIN_SOURCES)

libmbedtls_la_CFLAGS = -DMBEDTLS_CONFIG_FILE=\"mbedtls/mbedtls_config.h\" -I$(top_srcdir)/others/mbedtls/include
libmbedtls_la_CPPFLAGS =
libmbedtls_la_CPPFLAGS = \
-DMBEDTLS_CONFIG_FILE=\"mbedtls/mbedtls_config.h\" \
-I$(top_srcdir)/others/mbedtls/include \
-I$(top_srcdir)/others/mbedtls/tf-psa-crypto/include \
-I$(top_srcdir)/others/mbedtls/tf-psa-crypto/core \
-I$(top_srcdir)/others/mbedtls/tf-psa-crypto/drivers/builtin/include \
-I$(top_srcdir)/others/mbedtls/tf-psa-crypto/drivers/builtin/src

#libmbedtls_la_CPPFLAGS =
libmbedtls_la_LIBADD =

2 changes: 1 addition & 1 deletion others/mbedtls
Open in desktop
Submodule mbedtls updated 1764 files
5 changes: 3 additions & 2 deletions src/unique_id.cc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -56,7 +56,8 @@
#endif
#include <string.h>

#include "src/utils/sha1.h"
/*#include "src/utils/sha1.h"*/
#include "src/utils/sha256.h"

namespace modsecurity {

Expand All @@ -72,7 +73,7 @@ void UniqueId::fillUniqueId() {

data = macAddress + name;

this->uniqueId_str = Utils::Sha1::hexdigest(data);
this->uniqueId_str = Utils::Sha256::hexdigest(data);
Copy link
Member

@airween airween Jan 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you explain why did you changed the sha1 by sha256? This will gives a longer ID (sha1 length is 40 char hex, sha256's 64 char hex) - are we sure users want to use that?

And I'm not sure here sha256 gives any benefit (strong of cryptography is no matter here).

}

// Based on:
Expand Down
34 changes: 27 additions & 7 deletions src/utils/md5.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,17 +16,37 @@
#ifndef SRC_UTILS_MD5_H_
#define SRC_UTILS_MD5_H_

#include "src/utils/sha1.h"
#include "mbedtls/md5.h"
#include "src/utils/sha1.h" // uses DigestImpl + detail::ensure_psa_init()
#include <string>

namespace modsecurity::Utils {

#include <psa/crypto.h> // optional (since sha1.h already includes it), but ok

class Md5 : public DigestImpl<&mbedtls_md5, 16> {
};
namespace modsecurity::Utils {

// PSA wrapper with legacy signature
inline int modsec_psa_md5(const unsigned char *input,
size_t ilen,
unsigned char output[16])
{
if (!detail::ensure_psa_init()) {
return -1;
}

size_t out_len = 0;
psa_status_t status = psa_hash_compute(
PSA_ALG_MD5,
input,
ilen,
output,
16,
&out_len
);

return (status == PSA_SUCCESS && out_len == 16) ? 0 : -1;
}

class Md5 : public DigestImpl<&modsec_psa_md5, 16> {};

} // namespace modsecurity::Utils

#endif // SRC_UTILS_MD5_H_
#endif // SRC_UTILS_MD5_H_
92 changes: 68 additions & 24 deletions src/utils/sha1.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,60 +16,104 @@
#ifndef SRC_UTILS_SHA1_H_
#define SRC_UTILS_SHA1_H_

#include <array>
#include <cstddef>
#include <cstring>
#include <mutex>
#include <string>
#include <cassert>
#include <string_view>

#include "src/utils/string.h"
#include "mbedtls/sha1.h"
#include <psa/crypto.h>

namespace modsecurity::Utils {

namespace detail {

using DigestOp = int (*)(const unsigned char *, size_t, unsigned char []);
// Thread-safe PSA initialization shared by all digests
inline bool ensure_psa_init() {
static std::once_flag once;
static psa_status_t init_status = PSA_ERROR_GENERIC_ERROR;

std::call_once(once, []() { init_status = psa_crypto_init(); });

template<DigestOp digestOp, int DigestSize>
return init_status == PSA_SUCCESS;
}

} // namespace detail

// C-friendly digest function signature (matches legacy wrappers like modsec_psa_md5)
template <std::size_t DigestSize>
using DigestOp = int (*)(const unsigned char* input,
std::size_t input_len,
unsigned char* output);

// Generic digest implementation
template <auto DigestFn, std::size_t DigestSize>
class DigestImpl {
public:

static std::string digest(const std::string& input) {
return digestHelper(input, [](const auto digest) {
return std::string(digest);
return digestHelper(input, [](std::string_view d) {
return std::string{d};
});
}

static void digestReplace(std::string& value) {
digestHelper(value, [&value](const auto digest) mutable {
value = digest;
});
value = digest(value);
}

static std::string hexdigest(const std::string &input) {
return digestHelper(input, [](const auto digest) {
return utils::string::string_to_hex(digest);
static std::string hexdigest(const std::string& input) {
return digestHelper(input, [](std::string_view d) {
return utils::string::string_to_hex(d);
});
}

private:
private:
template <typename ConvertOp>
static auto digestHelper(const std::string& input, ConvertOp convertOp)
-> decltype(convertOp(std::string_view{})) {

template<typename ConvertOp>
static auto digestHelper(const std::string &input,
ConvertOp convertOp) -> auto {
char digest[DigestSize];
std::array<unsigned char, DigestSize> out{};
const std::string_view sv{input};

const auto ret = (*digestOp)(reinterpret_cast<const unsigned char *>(input.c_str()),
input.size(), reinterpret_cast<unsigned char *>(digest));
assert(ret == 0);
const auto* in_ptr =
reinterpret_cast<const unsigned char*>(sv.data());
const std::size_t in_len = sv.size();

return convertOp(std::string_view(digest, DigestSize));
if (DigestFn(in_ptr, in_len, out.data()) != 0) {
return convertOp(std::string_view{});
}

std::string raw(DigestSize, '\0');
std::memcpy(raw.data(), out.data(), DigestSize);
return convertOp(std::string_view{raw});
}
};

// PSA wrapper for SHA-1 (0 = success, non-zero = error)
inline int modsec_psa_sha1(const unsigned char* input,
std::size_t ilen,
unsigned char* output) {
if (!detail::ensure_psa_init()) {
return -1;
}

class Sha1 : public DigestImpl<&mbedtls_sha1, 20> {
};
size_t out_len = 0;
psa_status_t status = psa_hash_compute(
PSA_ALG_SHA_1,
input,
ilen,
output,
20,
&out_len
);

return (status == PSA_SUCCESS && out_len == 20) ? 0 : -1;
}

class Sha1 : public DigestImpl<&modsec_psa_sha1, 20> {};

} // namespace modsecurity::Utils

#endif // SRC_UTILS_SHA1_H_

Loading