Add initial mbedTLS v4 support

configure.ac

@@ -78,7 +78,7 @@ AC_DEFUN([LIBINJECTION_VERSION], m4_esyscmd_s(cd "others/libinjection" && git de
 AC_SUBST([LIBINJECTION_VERSION])
 
 # Check for Mbed TLS
-if ! test -f "${srcdir}/others/mbedtls/library/base64.c"; then
+if ! test -f "${srcdir}/others/mbedtls/tf-psa-crypto/drivers/builtin/src/base64.c"; then
 AC_MSG_ERROR([\
 
 
@@ -374,6 +374,15 @@ case $assertions in
 esac
 GLOBAL_CPPFLAGS="$GLOBAL_CPPFLAGS $ASSERTIONS_CPPCFLAGS"
 
+MBEDTLS_CPPFLAGS='-DMBEDTLS_CONFIG_FILE=\"mbedtls/mbedtls_config.h\" \
+-I$(top_srcdir)/others/mbedtls/include \
+-I$(top_srcdir)/others/mbedtls/tf-psa-crypto/include \
+-I$(top_srcdir)/others/mbedtls/tf-psa-crypto/drivers/builtin/include \
+-I$(top_srcdir)/others/mbedtls/include \
+-I$(top_srcdir)/others/mbedtls/tf-psa-crypto/core \
+-I$(top_srcdir)/others/mbedtls/tf-psa-crypto/drivers/builtin/src'
+GLOBAL_CPPFLAGS="$GLOBAL_CPPFLAGS $MBEDTLS_CPPFLAGS"
+
 AC_SUBST(GLOBAL_LDADD)
 AC_SUBST(GLOBAL_CPPFLAGS)
 

others/Makefile.am

@@ -15,19 +15,99 @@ noinst_HEADERS = \
 	libinjection/src/libinjection_sqli.h \
 	libinjection/src/libinjection_sqli_data.h \
 	libinjection/src/libinjection_xss.h \
-	mbedtls/include/mbedtls/base64.h \
-	mbedtls/include/mbedtls/check_config.h \
+	mbedtls/tf-psa-crypto/include/mbedtls/base64.h \
+	mbedtls/tf-psa-crypto/drivers/builtin/src/check_crypto_config.h \
 	mbedtls/include/mbedtls/mbedtls_config.h \
-	mbedtls/include/mbedtls/md5.h \
-	mbedtls/include/mbedtls/platform.h \
-	mbedtls/include/mbedtls/sha1.h
+	mbedtls/tf-psa-crypto/drivers/builtin/include/mbedtls/private/md5.h \
+	mbedtls/tf-psa-crypto/include/mbedtls/platform.h \
+	mbedtls/tf-psa-crypto/drivers/builtin/include/mbedtls/private/sha1.h
+
+MBED_PSA_CORE_SOURCES = \
+        mbedtls/tf-psa-crypto/core/psa_crypto.c \
+        mbedtls/tf-psa-crypto/core/psa_crypto_client.c \
+        mbedtls/tf-psa-crypto/core/psa_crypto_slot_management.c \
+        mbedtls/tf-psa-crypto/core/psa_crypto_storage.c \
+        mbedtls/tf-psa-crypto/core/psa_its_file.c \
+        mbedtls/tf-psa-crypto/core/psa_crypto_driver_wrappers_no_static.c
+
+MBED_BUILTIN_SOURCES = \
+        mbedtls/tf-psa-crypto/drivers/builtin/src/aes.c \
+        mbedtls/tf-psa-crypto/drivers/builtin/src/aesce.c \
+        mbedtls/tf-psa-crypto/drivers/builtin/src/aesni.c \
+        mbedtls/tf-psa-crypto/drivers/builtin/src/aria.c \
+        mbedtls/tf-psa-crypto/drivers/builtin/src/asn1parse.c \
+        mbedtls/tf-psa-crypto/drivers/builtin/src/asn1write.c \
+        mbedtls/tf-psa-crypto/drivers/builtin/src/base64.c \
+        mbedtls/tf-psa-crypto/drivers/builtin/src/bignum.c \
+        mbedtls/tf-psa-crypto/drivers/builtin/src/bignum_core.c \
+        mbedtls/tf-psa-crypto/drivers/builtin/src/bignum_mod.c \
+        mbedtls/tf-psa-crypto/drivers/builtin/src/bignum_mod_raw.c \
+        mbedtls/tf-psa-crypto/drivers/builtin/src/block_cipher.c \
+        mbedtls/tf-psa-crypto/drivers/builtin/src/camellia.c \
+        mbedtls/tf-psa-crypto/drivers/builtin/src/ccm.c \
+        mbedtls/tf-psa-crypto/drivers/builtin/src/chacha20.c \
+        mbedtls/tf-psa-crypto/drivers/builtin/src/chachapoly.c \
+        mbedtls/tf-psa-crypto/drivers/builtin/src/cipher.c \
+        mbedtls/tf-psa-crypto/drivers/builtin/src/cipher_wrap.c \
+        mbedtls/tf-psa-crypto/drivers/builtin/src/cmac.c \
+        mbedtls/tf-psa-crypto/drivers/builtin/src/constant_time.c \
+        mbedtls/tf-psa-crypto/drivers/builtin/src/ctr_drbg.c \
+        mbedtls/tf-psa-crypto/drivers/builtin/src/ecdh.c \
+        mbedtls/tf-psa-crypto/drivers/builtin/src/ecdsa.c \
+        mbedtls/tf-psa-crypto/drivers/builtin/src/ecjpake.c \
+        mbedtls/tf-psa-crypto/drivers/builtin/src/ecp.c \
+        mbedtls/tf-psa-crypto/drivers/builtin/src/ecp_curves.c \
+        mbedtls/tf-psa-crypto/drivers/builtin/src/ecp_curves_new.c \
+        mbedtls/tf-psa-crypto/drivers/builtin/src/entropy.c \
+        mbedtls/tf-psa-crypto/drivers/builtin/src/entropy_poll.c \
+        mbedtls/tf-psa-crypto/drivers/builtin/src/gcm.c \
+        mbedtls/tf-psa-crypto/drivers/builtin/src/hmac_drbg.c \
+        mbedtls/tf-psa-crypto/drivers/builtin/src/md.c \
+        mbedtls/tf-psa-crypto/drivers/builtin/src/md5.c \
+        mbedtls/tf-psa-crypto/drivers/builtin/src/memory_buffer_alloc.c \
+        mbedtls/tf-psa-crypto/drivers/builtin/src/nist_kw.c \
+        mbedtls/tf-psa-crypto/drivers/builtin/src/oid.c \
+        mbedtls/tf-psa-crypto/drivers/builtin/src/pem.c \
+        mbedtls/tf-psa-crypto/drivers/builtin/src/pk.c \
+        mbedtls/tf-psa-crypto/drivers/builtin/src/pk_ecc.c \
+        mbedtls/tf-psa-crypto/drivers/builtin/src/pk_rsa.c \
+        mbedtls/tf-psa-crypto/drivers/builtin/src/pk_wrap.c \
+        mbedtls/tf-psa-crypto/drivers/builtin/src/pkcs5.c \
+        mbedtls/tf-psa-crypto/drivers/builtin/src/pkparse.c \
+        mbedtls/tf-psa-crypto/drivers/builtin/src/pkwrite.c \
+        mbedtls/tf-psa-crypto/drivers/builtin/src/platform.c \
+        mbedtls/tf-psa-crypto/drivers/builtin/src/platform_util.c \
+        mbedtls/tf-psa-crypto/drivers/builtin/src/poly1305.c \
+        mbedtls/tf-psa-crypto/drivers/builtin/src/psa_crypto_aead.c \
+        mbedtls/tf-psa-crypto/drivers/builtin/src/psa_crypto_cipher.c \
+        mbedtls/tf-psa-crypto/drivers/builtin/src/psa_crypto_ecp.c \
+        mbedtls/tf-psa-crypto/drivers/builtin/src/psa_crypto_ffdh.c \
+        mbedtls/tf-psa-crypto/drivers/builtin/src/psa_crypto_hash.c \
+        mbedtls/tf-psa-crypto/drivers/builtin/src/psa_crypto_mac.c \
+        mbedtls/tf-psa-crypto/drivers/builtin/src/psa_crypto_pake.c \
+        mbedtls/tf-psa-crypto/drivers/builtin/src/psa_crypto_rsa.c \
+        mbedtls/tf-psa-crypto/drivers/builtin/src/psa_util.c \
+        mbedtls/tf-psa-crypto/drivers/builtin/src/ripemd160.c \
+        mbedtls/tf-psa-crypto/drivers/builtin/src/rsa.c \
+        mbedtls/tf-psa-crypto/drivers/builtin/src/rsa_alt_helpers.c \
+        mbedtls/tf-psa-crypto/drivers/builtin/src/sha1.c \
+        mbedtls/tf-psa-crypto/drivers/builtin/src/sha256.c \
+        mbedtls/tf-psa-crypto/drivers/builtin/src/sha3.c \
+        mbedtls/tf-psa-crypto/drivers/builtin/src/sha512.c \
+        mbedtls/tf-psa-crypto/drivers/builtin/src/threading.c
 
 libmbedtls_la_SOURCES = \
-	mbedtls/library/base64.c \
-	mbedtls/library/md5.c \
-	mbedtls/library/sha1.c \
-	mbedtls/library/platform_util.c
+        $(MBED_PSA_CORE_SOURCES) \
+        $(MBED_BUILTIN_SOURCES)
 
-libmbedtls_la_CFLAGS = -DMBEDTLS_CONFIG_FILE=\"mbedtls/mbedtls_config.h\" -I$(top_srcdir)/others/mbedtls/include
-libmbedtls_la_CPPFLAGS =
+libmbedtls_la_CPPFLAGS = \
+        -DMBEDTLS_CONFIG_FILE=\"mbedtls/mbedtls_config.h\" \
+        -I$(top_srcdir)/others/mbedtls/include \
+        -I$(top_srcdir)/others/mbedtls/tf-psa-crypto/include \
+        -I$(top_srcdir)/others/mbedtls/tf-psa-crypto/core \
+        -I$(top_srcdir)/others/mbedtls/tf-psa-crypto/drivers/builtin/include \
+        -I$(top_srcdir)/others/mbedtls/tf-psa-crypto/drivers/builtin/src
+
+#libmbedtls_la_CPPFLAGS =
 libmbedtls_la_LIBADD =
+

src/parser/seclang-scanner.cc

@@ -1,5 +1,5 @@
 
-#line 2 "seclang-scanner.cc"
+#line 3 "seclang-scanner.cc"
 
 #define  YY_INT_ALIGNED short int
 
@@ -5017,16 +5017,16 @@ static std::stack<int> YY_PREVIOUS_STATE;
 #define BEGIN_PREVIOUS() { BEGIN(YY_PREVIOUS_STATE.top()); YY_PREVIOUS_STATE.pop(); }
 
 // The location of the current token.
-#line 5020 "seclang-scanner.cc"
+#line 5021 "seclang-scanner.cc"
 #define YY_NO_INPUT 1
 #define YY_NO_UNISTD_H 1
 
 #line 498 "seclang-scanner.ll"
   // Code run each time a pattern is matched.
   # define YY_USER_ACTION  driver.loc.back()->columns (yyleng);
 
-#line 5028 "seclang-scanner.cc"
 #line 5029 "seclang-scanner.cc"
+#line 5030 "seclang-scanner.cc"
 
 #define INITIAL 0
 #define EXPECTING_ACTION_PREDICATE_VARIABLE 1
@@ -5348,7 +5348,7 @@ YY_DECL
   // Code run each time yylex is called.
   driver.loc.back()->step();
 
-#line 5351 "seclang-scanner.cc"
+#line 5352 "seclang-scanner.cc"
 
 	while ( /*CONSTCOND*/1 )		/* loops until end-of-file is reached */
 		{
@@ -8484,7 +8484,7 @@ YY_RULE_SETUP
 #line 1350 "seclang-scanner.ll"
 ECHO;
 	YY_BREAK
-#line 8487 "seclang-scanner.cc"
+#line 8488 "seclang-scanner.cc"
 
 	case YY_END_OF_BUFFER:
 		{

src/unique_id.cc

@@ -56,7 +56,8 @@
 #endif
 #include <string.h>
 
-#include "src/utils/sha1.h"
+/*#include "src/utils/sha1.h"*/
+#include "src/utils/sha256.h"
 
 namespace modsecurity {
 
@@ -72,7 +73,7 @@ void UniqueId::fillUniqueId() {
 
     data = macAddress + name;
 
-    this->uniqueId_str = Utils::Sha1::hexdigest(data);
+    this->uniqueId_str = Utils::Sha256::hexdigest(data);
 }
 
 // Based on:

src/utils/md5.h

@@ -1,32 +1,44 @@
 /*
  * ModSecurity, http://www.modsecurity.org/
- * Copyright (c) 2015 - 2021 Trustwave Holdings, Inc. (http://www.trustwave.com/)
- *
- * You may not use this file except in compliance with
- * the License.  You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * If any of the files related to licensing are missing or if you have any
- * other questions related to licensing please contact Trustwave Holdings, Inc.
- * directly using the email address security@modsecurity.org.
+ * Copyright (c) 2015 - 2021 Trustwave Holdings, Inc.
  *
+ * Licensed under the Apache License, Version 2.0
  */
 
 #ifndef SRC_UTILS_MD5_H_
 #define SRC_UTILS_MD5_H_
 
-#include "src/utils/sha1.h"
-#include "mbedtls/md5.h"
+#include "src/utils/sha1.h"   // nutzt DigestImpl + detail::ensure_psa_init()
 #include <string>
 
-namespace modsecurity::Utils {
-
+#include <psa/crypto.h>       // optional (weil sha1.h es schon inkludiert), aber ok
 
-class Md5 : public DigestImpl<&mbedtls_md5, 16> {
-};
+namespace modsecurity::Utils {
 
+// PSA-Wrapper mit alter Signatur
+inline int modsec_psa_md5(const unsigned char *input,
+                          size_t ilen,
+                          unsigned char output[16])
+{
+    if (!detail::ensure_psa_init()) {
+        return -1;
+    }
+
+    size_t out_len = 0;
+    psa_status_t status = psa_hash_compute(
+        PSA_ALG_MD5,
+        input,
+        ilen,
+        output,
+        16,
+        &out_len
+    );
+
+    return (status == PSA_SUCCESS && out_len == 16) ? 0 : -1;
+}
+
+class Md5 : public DigestImpl<&modsec_psa_md5, 16> {};
 
 }  // namespace modsecurity::Utils
 
-#endif  // SRC_UTILS_MD5_H_
+#endif  // SRC_UTILS_MD5_H_