Merge pull request #33 from Easton97-Jens/codex/migrate-repository-to-mbed-tls-4.x

Migrate embedded Mbed TLS integration to TF-PSA-Crypto (Mbed TLS 4.x) paths

Author: Easton97-Jens

Makefile.am

@@ -63,7 +63,7 @@ cppcheck:
 		--enable=warning,style,performance,portability,unusedFunction,missingInclude \
 		--inconclusive \
 		--template="warning: {file},{line},{severity},{id},{message}" \
-		-I headers -I . -I $(top_srcdir)/others -I $(top_srcdir)/src -I $(top_srcdir)/others/mbedtls/include \
+		-I headers -I . -I $(top_srcdir)/others -I $(top_srcdir)/src -I $(top_srcdir)/others/mbedtls/include -I $(top_srcdir)/others/mbedtls/tf-psa-crypto/include -I $(top_srcdir)/others/mbedtls/tf-psa-crypto/drivers/builtin/include \
 		--error-exitcode=1 \
 		-i "src/parser/seclang-parser.cc" -i "src/parser/seclang-scanner.cc" \
 		-i others \
@@ -99,4 +99,3 @@ pkgconfig_DATA = modsecurity.pc
 EXTRA_DIST = modsecurity.pc.in \
              modsecurity.conf-recommended \
              unicode.mapping
-

build/win32/CMakeLists.txt

@@ -51,10 +51,32 @@ target_compile_definitions(libinjection PRIVATE LIBINJECTION_VERSION="${LIBINJEC
 project(mbedcrypto C)
 
 set(MBEDTLS_DIR ${BASE_DIR}/others/mbedtls)
+set(TF_PSA_CRYPTO_DIR ${MBEDTLS_DIR}/tf-psa-crypto)
+
+add_library(mbedcrypto STATIC
+  ${TF_PSA_CRYPTO_DIR}/utilities/base64.c
+  ${TF_PSA_CRYPTO_DIR}/utilities/constant_time.c
+  ${TF_PSA_CRYPTO_DIR}/platform/platform_util.c
+  ${TF_PSA_CRYPTO_DIR}/extras/md.c
+  ${TF_PSA_CRYPTO_DIR}/drivers/builtin/src/md5.c
+  ${TF_PSA_CRYPTO_DIR}/drivers/builtin/src/sha1.c
+  ${TF_PSA_CRYPTO_DIR}/drivers/builtin/src/sha256.c
+  ${TF_PSA_CRYPTO_DIR}/drivers/builtin/src/sha512.c
+  ${TF_PSA_CRYPTO_DIR}/drivers/builtin/src/sha3.c
+  ${TF_PSA_CRYPTO_DIR}/drivers/builtin/src/ripemd160.c
+  ${TF_PSA_CRYPTO_DIR}/drivers/builtin/src/psa_util_internal.c
+)
 
-add_library(mbedcrypto STATIC ${MBEDTLS_DIR}/library/base64.c ${MBEDTLS_DIR}/library/sha1.c ${MBEDTLS_DIR}/library/md5.c ${MBEDTLS_DIR}/library/platform_util.c ${MBEDTLS_DIR}/library/constant_time.c)
-
-target_include_directories(mbedcrypto PRIVATE ${MBEDTLS_DIR}/include)
+target_include_directories(mbedcrypto PRIVATE
+  ${MBEDTLS_DIR}/include
+  ${TF_PSA_CRYPTO_DIR}/include
+  ${TF_PSA_CRYPTO_DIR}/core
+  ${TF_PSA_CRYPTO_DIR}/extras
+  ${TF_PSA_CRYPTO_DIR}/library
+  ${TF_PSA_CRYPTO_DIR}/utilities
+  ${TF_PSA_CRYPTO_DIR}/drivers/builtin/include
+  ${TF_PSA_CRYPTO_DIR}/drivers/builtin/src
+)
 
 # get mbedtls version with git describe
 execute_process(
@@ -137,7 +159,7 @@ file(GLOB_RECURSE libModSecuritySources ${BASE_DIR}/src/*.cc)
 add_library(libModSecurity SHARED ${libModSecuritySources})
 
 target_compile_definitions(libModSecurity PRIVATE WITH_PCRE2)
-target_include_directories(libModSecurity PRIVATE ${BASE_DIR} ${BASE_DIR}/headers ${BASE_DIR}/others ${MBEDTLS_DIR}/include)
+target_include_directories(libModSecurity PRIVATE ${BASE_DIR} ${BASE_DIR}/headers ${BASE_DIR}/others ${MBEDTLS_DIR}/include ${TF_PSA_CRYPTO_DIR}/include ${TF_PSA_CRYPTO_DIR}/drivers/builtin/include)
 target_link_libraries(libModSecurity PRIVATE pcre2::pcre2 libinjection mbedcrypto Poco::Poco Iphlpapi.lib)
 
 macro(add_package_dependency project compile_definition link_library flag)

configure.ac

@@ -84,7 +84,7 @@ AC_DEFUN([LIBINJECTION_VERSION], m4_esyscmd_s(cd "others/libinjection" && git de
 AC_SUBST([LIBINJECTION_VERSION])
 
 # Check for Mbed TLS
-if ! test -f "${srcdir}/others/mbedtls/library/base64.c"; then
+if ! test -f "${srcdir}/others/mbedtls/tf-psa-crypto/utilities/base64.c"; then
 AC_MSG_ERROR([\
 
 
@@ -532,4 +532,3 @@ if test "$aflFuzzer" = "true"; then
     echo "  $ export CC=afl-clang-fast "
     echo " "
 fi
-

others/Makefile.am

@@ -15,19 +15,24 @@ noinst_HEADERS = \
 	libinjection/src/libinjection_sqli.h \
 	libinjection/src/libinjection_sqli_data.h \
 	libinjection/src/libinjection_xss.h \
-	mbedtls/include/mbedtls/base64.h \
-	mbedtls/include/mbedtls/check_config.h \
+	mbedtls/tf-psa-crypto/include/mbedtls/base64.h \
 	mbedtls/include/mbedtls/mbedtls_config.h \
-	mbedtls/include/mbedtls/md5.h \
-	mbedtls/include/mbedtls/platform.h \
-	mbedtls/include/mbedtls/sha1.h
+	mbedtls/tf-psa-crypto/include/mbedtls/md.h \
+	mbedtls/tf-psa-crypto/include/mbedtls/platform.h
 
 libmbedtls_la_SOURCES = \
-	mbedtls/library/base64.c \
-	mbedtls/library/md5.c \
-	mbedtls/library/sha1.c \
-	mbedtls/library/platform_util.c
+	mbedtls/tf-psa-crypto/utilities/base64.c \
+	mbedtls/tf-psa-crypto/utilities/constant_time.c \
+	mbedtls/tf-psa-crypto/platform/platform_util.c \
+	mbedtls/tf-psa-crypto/extras/md.c \
+	mbedtls/tf-psa-crypto/drivers/builtin/src/md5.c \
+	mbedtls/tf-psa-crypto/drivers/builtin/src/sha1.c \
+	mbedtls/tf-psa-crypto/drivers/builtin/src/sha256.c \
+	mbedtls/tf-psa-crypto/drivers/builtin/src/sha512.c \
+	mbedtls/tf-psa-crypto/drivers/builtin/src/sha3.c \
+	mbedtls/tf-psa-crypto/drivers/builtin/src/ripemd160.c \
+	mbedtls/tf-psa-crypto/drivers/builtin/src/psa_util_internal.c
 
-libmbedtls_la_CFLAGS = -DMBEDTLS_CONFIG_FILE=\"mbedtls/mbedtls_config.h\" -I$(top_srcdir)/others/mbedtls/include
+libmbedtls_la_CFLAGS = -DMBEDTLS_CONFIG_FILE=\"mbedtls/mbedtls_config.h\" -I$(top_srcdir)/others/mbedtls/include -I$(top_srcdir)/others/mbedtls/tf-psa-crypto/include -I$(top_srcdir)/others/mbedtls/tf-psa-crypto/core -I$(top_srcdir)/others/mbedtls/tf-psa-crypto/extras -I$(top_srcdir)/others/mbedtls/tf-psa-crypto/library -I$(top_srcdir)/others/mbedtls/tf-psa-crypto/utilities -I$(top_srcdir)/others/mbedtls/tf-psa-crypto/drivers/builtin/include -I$(top_srcdir)/others/mbedtls/tf-psa-crypto/drivers/builtin/src
 libmbedtls_la_CPPFLAGS =
 libmbedtls_la_LIBADD =

src/Makefile.am

@@ -296,6 +296,8 @@ libmodsecurity_la_CPPFLAGS = \
 	-g \
 	-I$(top_srcdir)/others \
 	-I$(top_srcdir)/others/mbedtls/include \
+	-I$(top_srcdir)/others/mbedtls/tf-psa-crypto/include \
+	-I$(top_srcdir)/others/mbedtls/tf-psa-crypto/drivers/builtin/include \
 	-fPIC \
 	-O3 \
 	-I$(top_srcdir)/headers \
@@ -343,4 +345,3 @@ libmodsecurity_la_LIBADD = \
 	$(MAXMIND_LDADD) \
 	$(SSDEEP_LDADD) \
 	$(YAJL_LDADD)
-

src/utils/md5.h

@@ -17,16 +17,15 @@
 #define SRC_UTILS_MD5_H_
 
 #include "src/utils/sha1.h"
-#include "mbedtls/md5.h"
 #include <string>
 
 namespace modsecurity::Utils {
 
 
-class Md5 : public DigestImpl<&mbedtls_md5, 16> {
+class Md5 : public DigestImpl<MBEDTLS_MD_MD5, 16> {
 };
 
 
 }  // namespace modsecurity::Utils
 
-#endif  // SRC_UTILS_MD5_H_
+#endif  // SRC_UTILS_MD5_H_

src/utils/sha1.h

@@ -20,15 +20,12 @@
 #include <cassert>
 
 #include "src/utils/string.h"
-#include "mbedtls/sha1.h"
+#include "mbedtls/md.h"
 
 namespace modsecurity::Utils {
 
 
-using DigestOp = int (*)(const unsigned char *, size_t, unsigned char []);
-
-
-template<DigestOp digestOp, int DigestSize>
+template<mbedtls_md_type_t DigestType, int DigestSize>
 class DigestImpl {
  public:
 
@@ -56,8 +53,11 @@ class DigestImpl {
     static auto digestHelper(const std::string &input,
         ConvertOp convertOp) -> auto {
         char digest[DigestSize];
+        const auto *mdInfo = mbedtls_md_info_from_type(DigestType);
+        assert(mdInfo != nullptr);
 
-        const auto ret = (*digestOp)(reinterpret_cast<const unsigned char *>(input.c_str()),
+        const auto ret = mbedtls_md(mdInfo,
+                 reinterpret_cast<const unsigned char *>(input.c_str()),
                  input.size(), reinterpret_cast<unsigned char *>(digest));
         assert(ret == 0);
 
@@ -66,7 +66,7 @@ class DigestImpl {
 };
 
 
-class Sha1 : public DigestImpl<&mbedtls_sha1, 20> {
+class Sha1 : public DigestImpl<MBEDTLS_MD_SHA1, 20> {
 };