From f132bb39e89a84b2e2c477db186025b7fc31b365 Mon Sep 17 00:00:00 2001 From: jens Date: Wed, 17 Dec 2025 10:32:32 +0100 Subject: [PATCH 01/13] Pin mbedtls submodule to v4.0.0 --- others/mbedtls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/others/mbedtls b/others/mbedtls index 2ca6c285a..ec4044008 160000 --- a/others/mbedtls +++ b/others/mbedtls @@ -1 +1 @@ -Subproject commit 2ca6c285a0dd3f33982dd57299012dacab1ff206 +Subproject commit ec4044008d2d069da38288bc76b0fee34ec78646 From ba247543ad48aee172b9352c9cc0c51ba43fbb80 Mon Sep 17 00:00:00 2001 From: jens Date: Wed, 17 Dec 2025 11:22:00 +0100 Subject: [PATCH 02/13] Update all submodules --- others/libinjection | 2 +- test/test-cases/secrules-language-tests | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/others/libinjection b/others/libinjection index b9fcaaf9e..b2d46ec12 160000 --- a/others/libinjection +++ b/others/libinjection @@ -1 +1 @@ -Subproject commit b9fcaaf9e50e9492807b23ffcc6af46ee1f203b9 +Subproject commit b2d46ec124d947d2f82560074e4a348cb15148fc diff --git a/test/test-cases/secrules-language-tests b/test/test-cases/secrules-language-tests index a3d4405e5..c6e880236 160000 --- a/test/test-cases/secrules-language-tests +++ b/test/test-cases/secrules-language-tests @@ -1 +1 @@ -Subproject commit a3d4405e5a2c90488c387e589c5534974575e35b +Subproject commit c6e8802366ec3182b8c2612e23d14e19e3545b47 From 812174d17bd24165f4e5bcbf5cc3286a417186b8 Mon Sep 17 00:00:00 2001 From: jens Date: Wed, 17 Dec 2025 11:33:02 +0100 Subject: [PATCH 03/13] Update mbedtl-v4 --- configure.ac | 2 +- others/Makefile.am | 22 ++++++----- src/unique_id.cc | 5 ++- src/utils/md5.h | 46 ++++++++++++++--------- src/utils/sha1.h | 94 ++++++++++++++++++++++++++++++++-------------- 5 files changed, 110 insertions(+), 59 deletions(-) diff --git a/configure.ac b/configure.ac index 7a78bb6c7..1b3879aaf 100644 --- a/configure.ac +++ b/configure.ac @@ -78,7 +78,7 @@ AC_DEFUN([LIBINJECTION_VERSION], m4_esyscmd_s(cd "others/libinjection" && git de AC_SUBST([LIBINJECTION_VERSION]) # Check for Mbed TLS -if ! test -f "${srcdir}/others/mbedtls/library/base64.c"; then +if ! test -f "${srcdir}/others/mbedtls/tf-psa-crypto/drivers/builtin/src/base64.c"; then AC_MSG_ERROR([\ diff --git a/others/Makefile.am b/others/Makefile.am index b102a0330..b8be3af6e 100644 --- a/others/Makefile.am +++ b/others/Makefile.am @@ -15,19 +15,21 @@ noinst_HEADERS = \ libinjection/src/libinjection_sqli.h \ libinjection/src/libinjection_sqli_data.h \ libinjection/src/libinjection_xss.h \ - mbedtls/include/mbedtls/base64.h \ - mbedtls/include/mbedtls/check_config.h \ + mbedtls/tf-psa-crypto/include/mbedtls/base64.h \ + mbedtls/tf-psa-crypto/drivers/builtin/src/check_crypto_config.h \ mbedtls/include/mbedtls/mbedtls_config.h \ - mbedtls/include/mbedtls/md5.h \ - mbedtls/include/mbedtls/platform.h \ - mbedtls/include/mbedtls/sha1.h + mbedtls/tf-psa-crypto/drivers/builtin/include/mbedtls/private/md5.h \ + mbedtls/tf-psa-crypto/include/mbedtls/platform.h \ + mbedtls/tf-psa-crypto/drivers/builtin/include/mbedtls/private/sha1.h libmbedtls_la_SOURCES = \ - mbedtls/library/base64.c \ - mbedtls/library/md5.c \ - mbedtls/library/sha1.c \ - mbedtls/library/platform_util.c + mbedtls/tf-psa-crypto/drivers/builtin/src/base64.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/md5.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/sha1.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/platform_util.c -libmbedtls_la_CFLAGS = -DMBEDTLS_CONFIG_FILE=\"mbedtls/mbedtls_config.h\" -I$(top_srcdir)/others/mbedtls/include +libmbedtls_la_CFLAGS = -DMBEDTLS_CONFIG_FILE=\"mbedtls/mbedtls_config.h\" -I$(top_srcdir)/others/mbedtls/include \ + -I$(top_srcdir)/others/mbedtls/tf-psa-crypto/include -I$(top_srcdir)/others/mbedtls/tf-psa-crypto/drivers/builtin/include \ + -I$(top_srcdir)/others/mbedtls/tf-psa-crypto/core libmbedtls_la_CPPFLAGS = libmbedtls_la_LIBADD = diff --git a/src/unique_id.cc b/src/unique_id.cc index 01075cc54..bf8e4afb8 100644 --- a/src/unique_id.cc +++ b/src/unique_id.cc @@ -56,7 +56,8 @@ #endif #include -#include "src/utils/sha1.h" +/*#include "src/utils/sha1.h"*/ +#include "src/utils/sha256.h" namespace modsecurity { @@ -72,7 +73,7 @@ void UniqueId::fillUniqueId() { data = macAddress + name; - this->uniqueId_str = Utils::Sha1::hexdigest(data); + this->uniqueId_str = Utils::Sha256::hexdigest(data); } // Based on: diff --git a/src/utils/md5.h b/src/utils/md5.h index 68f5d748e..55998ea65 100644 --- a/src/utils/md5.h +++ b/src/utils/md5.h @@ -1,32 +1,44 @@ /* * ModSecurity, http://www.modsecurity.org/ - * Copyright (c) 2015 - 2021 Trustwave Holdings, Inc. (http://www.trustwave.com/) - * - * You may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * If any of the files related to licensing are missing or if you have any - * other questions related to licensing please contact Trustwave Holdings, Inc. - * directly using the email address security@modsecurity.org. + * Copyright (c) 2015 - 2021 Trustwave Holdings, Inc. * + * Licensed under the Apache License, Version 2.0 */ #ifndef SRC_UTILS_MD5_H_ #define SRC_UTILS_MD5_H_ -#include "src/utils/sha1.h" -#include "mbedtls/md5.h" +#include "src/utils/sha1.h" // nutzt DigestImpl + detail::ensure_psa_init() #include -namespace modsecurity::Utils { - +#include // optional (weil sha1.h es schon inkludiert), aber ok -class Md5 : public DigestImpl<&mbedtls_md5, 16> { -}; +namespace modsecurity::Utils { +// PSA-Wrapper mit alter Signatur +inline int modsec_psa_md5(const unsigned char *input, + size_t ilen, + unsigned char output[16]) +{ + if (!detail::ensure_psa_init()) { + return -1; + } + + size_t out_len = 0; + psa_status_t status = psa_hash_compute( + PSA_ALG_MD5, + input, + ilen, + output, + 16, + &out_len + ); + + return (status == PSA_SUCCESS && out_len == 16) ? 0 : -1; +} + +class Md5 : public DigestImpl<&modsec_psa_md5, 16> {}; } // namespace modsecurity::Utils -#endif // SRC_UTILS_MD5_H_ \ No newline at end of file +#endif // SRC_UTILS_MD5_H_ diff --git a/src/utils/sha1.h b/src/utils/sha1.h index a40d7fa1c..623161256 100644 --- a/src/utils/sha1.h +++ b/src/utils/sha1.h @@ -1,74 +1,110 @@ /* * ModSecurity, http://www.modsecurity.org/ - * Copyright (c) 2015 - 2021 Trustwave Holdings, Inc. (http://www.trustwave.com/) - * - * You may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * If any of the files related to licensing are missing or if you have any - * other questions related to licensing please contact Trustwave Holdings, Inc. - * directly using the email address security@modsecurity.org. + * Copyright (c) 2015 - 2021 Trustwave Holdings, Inc. * + * Licensed under the Apache License, Version 2.0 */ #ifndef SRC_UTILS_SHA1_H_ #define SRC_UTILS_SHA1_H_ #include -#include +#include +#include // NEW: std::once_flag, std::call_once #include "src/utils/string.h" -#include "mbedtls/sha1.h" -namespace modsecurity::Utils { +// PSA statt mbedtls/sha1.h +#include +namespace modsecurity::Utils { using DigestOp = int (*)(const unsigned char *, size_t, unsigned char []); +// Gemeinsamer, thread-sicherer PSA-Init für alle Digests +namespace detail { +inline bool ensure_psa_init() { + static std::once_flag once; + static psa_status_t init_status = PSA_ERROR_GENERIC_ERROR; + + std::call_once(once, []() { + init_status = psa_crypto_init(); + }); + + return init_status == PSA_SUCCESS; +} +} // namespace detail + template class DigestImpl { public: - static std::string digest(const std::string& input) { - return digestHelper(input, [](const auto digest) { + return digestHelper(input, [](std::string_view digest) { return std::string(digest); }); } static void digestReplace(std::string& value) { - digestHelper(value, [&value](const auto digest) mutable { - value = digest; + digestHelper(value, [&value](std::string_view digest) mutable { + value.assign(digest.data(), digest.size()); }); } static std::string hexdigest(const std::string &input) { - return digestHelper(input, [](const auto digest) { + return digestHelper(input, [](std::string_view digest) { return utils::string::string_to_hex(digest); }); } -private: - + private: template - static auto digestHelper(const std::string &input, - ConvertOp convertOp) -> auto { - char digest[DigestSize]; + static auto digestHelper(const std::string &input, ConvertOp convertOp) + -> decltype(convertOp(std::string_view{})) { + + unsigned char digest[DigestSize]; + + const int ret = (*digestOp)( + reinterpret_cast(input.data()), + input.size(), + digest + ); - const auto ret = (*digestOp)(reinterpret_cast(input.c_str()), - input.size(), reinterpret_cast(digest)); - assert(ret == 0); + // NEW: kein assert-only; in Release sonst potentiell UB. + if (ret != 0) { + return convertOp(std::string_view{}); // leerer Digest signalisiert Fehler + } - return convertOp(std::string_view(digest, DigestSize)); + return convertOp(std::string_view( + reinterpret_cast(digest), DigestSize + )); } }; -class Sha1 : public DigestImpl<&mbedtls_sha1, 20> { -}; +// PSA-Wrapper mit alter Signatur +inline int modsec_psa_sha1(const unsigned char *input, + size_t ilen, + unsigned char output[20]) +{ + if (!detail::ensure_psa_init()) { + return -1; + } + + size_t out_len = 0; + psa_status_t status = psa_hash_compute( + PSA_ALG_SHA_1, + input, + ilen, + output, + 20, + &out_len + ); + + return (status == PSA_SUCCESS && out_len == 20) ? 0 : -1; +} +class Sha1 : public DigestImpl<&modsec_psa_sha1, 20> {}; } // namespace modsecurity::Utils From 01c3a2f5142546b2dae2d809d87512bc3ff5a123 Mon Sep 17 00:00:00 2001 From: jens Date: Sun, 21 Dec 2025 10:34:06 +0100 Subject: [PATCH 04/13] Revert "Update all submodules" This reverts commit ba247543ad48aee172b9352c9cc0c51ba43fbb80. --- others/libinjection | 2 +- test/test-cases/secrules-language-tests | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/others/libinjection b/others/libinjection index b2d46ec12..b9fcaaf9e 160000 --- a/others/libinjection +++ b/others/libinjection @@ -1 +1 @@ -Subproject commit b2d46ec124d947d2f82560074e4a348cb15148fc +Subproject commit b9fcaaf9e50e9492807b23ffcc6af46ee1f203b9 diff --git a/test/test-cases/secrules-language-tests b/test/test-cases/secrules-language-tests index c6e880236..a3d4405e5 160000 --- a/test/test-cases/secrules-language-tests +++ b/test/test-cases/secrules-language-tests @@ -1 +1 @@ -Subproject commit c6e8802366ec3182b8c2612e23d14e19e3545b47 +Subproject commit a3d4405e5a2c90488c387e589c5534974575e35b From 23e513cf5319a1c764cec6889ecc2a44b02e8442 Mon Sep 17 00:00:00 2001 From: jens Date: Sun, 21 Dec 2025 14:54:05 +0100 Subject: [PATCH 05/13] WIP: intermediate state (mbedtls v4.0.0 and updates) --- configure.ac | 11 +++- others/Makefile.am | 68 +++++++++++++++++++++++-- src/Makefile.am | 1 + src/parser/seclang-scanner.cc | 10 ++-- src/parser/test.cc | 0 src/utils/sha256.h | 34 +++++++++++++ test/test-cases/secrules-language-tests | 2 +- 7 files changed, 115 insertions(+), 11 deletions(-) create mode 100644 src/parser/test.cc create mode 100644 src/utils/sha256.h diff --git a/configure.ac b/configure.ac index 1b3879aaf..7e862120a 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# ModSecurity configure.ac +/# ModSecurity configure.ac # Get the hash of the last commit, to be used if it is not an @@ -374,6 +374,15 @@ case $assertions in esac GLOBAL_CPPFLAGS="$GLOBAL_CPPFLAGS $ASSERTIONS_CPPCFLAGS" +MBEDTLS_CPPFLAGS='-DMBEDTLS_CONFIG_FILE=\"mbedtls/mbedtls_config.h\" \ +-I$(top_srcdir)/others/mbedtls/include \ +-I$(top_srcdir)/others/mbedtls/tf-psa-crypto/include \ +-I$(top_srcdir)/others/mbedtls/tf-psa-crypto/drivers/builtin/include \ +-I$(top_srcdir)/others/mbedtls/include \ +-I$(top_srcdir)/others/mbedtls/tf-psa-crypto/core \ +-I$(top_srcdir)/others/mbedtls/tf-psa-crypto/drivers/builtin/src' +GLOBAL_CPPFLAGS="$GLOBAL_CPPFLAGS $MBEDTLS_CPPFLAGS" + AC_SUBST(GLOBAL_LDADD) AC_SUBST(GLOBAL_CPPFLAGS) diff --git a/others/Makefile.am b/others/Makefile.am index b8be3af6e..493b06ba1 100644 --- a/others/Makefile.am +++ b/others/Makefile.am @@ -1,5 +1,5 @@ -noinst_LTLIBRARIES = libinjection.la libmbedtls.la +noinst_LTLIBRARIES = libinjection.la libmbedtls.la libmbedcrypto.la libinjection_la_SOURCES = \ libinjection/src/libinjection_html5.c \ @@ -26,10 +26,70 @@ libmbedtls_la_SOURCES = \ mbedtls/tf-psa-crypto/drivers/builtin/src/base64.c \ mbedtls/tf-psa-crypto/drivers/builtin/src/md5.c \ mbedtls/tf-psa-crypto/drivers/builtin/src/sha1.c \ - mbedtls/tf-psa-crypto/drivers/builtin/src/platform_util.c + mbedtls/tf-psa-crypto/drivers/builtin/src/platform_util.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/bignum.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/ccm.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/cipher.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/ctr_drbg.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/ecp.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/entropy.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/gcm.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/rsa.c \ + mbedtls/tf-psa-crypto/core/psa_crypto.c \ + mbedtls/tf-psa-crypto/core/psa_crypto_client.c \ + mbedtls/tf-psa-crypto/core/psa_crypto_slot_management.c \ + mbedtls/tf-psa-crypto/core/psa_crypto_storage.c \ + mbedtls/tf-psa-crypto/core/psa_its_file.c \ + mbedtls/tf-psa-crypto/core/psa_crypto_driver_wrappers_no_static.c + +libmbedcrypto_la_SOURCES = \ + mbedtls/library/mps_reader.c \ + mbedtls/library/mps_trace.c \ + mbedtls/library/net_sockets.c \ + mbedtls/library/pkcs7.c \ + mbedtls/library/ssl_cache.c \ + mbedtls/library/ssl_ciphersuites.c \ + mbedtls/library/ssl_client.c \ + mbedtls/library/ssl_cookie.c \ + mbedtls/library/ssl_msg.c \ + mbedtls/library/ssl_ticket.c \ + mbedtls/library/ssl_tls.c \ + mbedtls/library/ssl_tls12_client.c \ + mbedtls/library/ssl_tls12_server.c \ + mbedtls/library/ssl_tls13_client.c \ + mbedtls/library/ssl_tls13_generic.c \ + mbedtls/library/ssl_tls13_keys.c \ + mbedtls/library/ssl_tls13_server.c \ + mbedtls/library/timing.c \ + mbedtls/library/version.c \ + mbedtls/library/x509.c \ + mbedtls/library/x509_create.c \ + mbedtls/library/x509_crl.c \ + mbedtls/library/x509_crt.c \ + mbedtls/library/x509_csr.c \ + mbedtls/library/x509_oid.c \ + mbedtls/library/x509write.c \ + mbedtls/library/x509write_crt.c \ + mbedtls/library/x509write_csr.c + + libmbedtls_la_CFLAGS = -DMBEDTLS_CONFIG_FILE=\"mbedtls/mbedtls_config.h\" -I$(top_srcdir)/others/mbedtls/include \ - -I$(top_srcdir)/others/mbedtls/tf-psa-crypto/include -I$(top_srcdir)/others/mbedtls/tf-psa-crypto/drivers/builtin/include \ - -I$(top_srcdir)/others/mbedtls/tf-psa-crypto/core + -I$(top_srcdir)/others/mbedtls/tf-psa-crypto/include \ + -I$(top_srcdir)/others/mbedtls/tf-psa-crypto/drivers/builtin/include \ + -I$(top_srcdir)/others/mbedtls/tf-psa-crypto/core \ + -I$(top_srcdir)/others/mbedtls/include \ + -I$(top_srcdir)/others/mbedtls/tf-psa-crypto/drivers/builtin/src +libmbedcrypto_la_CPPFLAGS = \ + -DMBEDTLS_CONFIG_FILE=\"mbedtls/mbedtls_config.h\" \ + -I$(top_srcdir)/others/mbedtls/include \ + -I$(top_srcdir)/others/mbedtls/tf-psa-crypto/include \ + -I$(top_srcdir)/others/mbedtls/tf-psa-crypto/drivers/builtin/include \ + -I$(top_srcdir)/others/mbedtls/tf-psa-crypto/drivers/builtin/src \ + -I$(top_srcdir)/others/mbedtls/tf-psa-crypto/core + libmbedtls_la_CPPFLAGS = libmbedtls_la_LIBADD = + +#libmbedcrypto_la_CPPFLAGS = +#libmbedcrypto_la_LIBADD = diff --git a/src/Makefile.am b/src/Makefile.am index 14c26697b..2ec0e5be3 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -338,6 +338,7 @@ libmodsecurity_la_LIBADD = \ $(LUA_LDADD) \ ../others/libinjection.la \ ../others/libmbedtls.la \ + ../others/libmbedcrypto.la \ $(PCRE_LDADD) \ $(PCRE2_LDADD) \ $(MAXMIND_LDADD) \ diff --git a/src/parser/seclang-scanner.cc b/src/parser/seclang-scanner.cc index ddedb290d..0bd06ae66 100644 --- a/src/parser/seclang-scanner.cc +++ b/src/parser/seclang-scanner.cc @@ -1,5 +1,5 @@ -#line 2 "seclang-scanner.cc" +#line 3 "seclang-scanner.cc" #define YY_INT_ALIGNED short int @@ -5017,7 +5017,7 @@ static std::stack YY_PREVIOUS_STATE; #define BEGIN_PREVIOUS() { BEGIN(YY_PREVIOUS_STATE.top()); YY_PREVIOUS_STATE.pop(); } // The location of the current token. -#line 5020 "seclang-scanner.cc" +#line 5021 "seclang-scanner.cc" #define YY_NO_INPUT 1 #define YY_NO_UNISTD_H 1 @@ -5025,8 +5025,8 @@ static std::stack YY_PREVIOUS_STATE; // Code run each time a pattern is matched. # define YY_USER_ACTION driver.loc.back()->columns (yyleng); -#line 5028 "seclang-scanner.cc" #line 5029 "seclang-scanner.cc" +#line 5030 "seclang-scanner.cc" #define INITIAL 0 #define EXPECTING_ACTION_PREDICATE_VARIABLE 1 @@ -5348,7 +5348,7 @@ YY_DECL // Code run each time yylex is called. driver.loc.back()->step(); -#line 5351 "seclang-scanner.cc" +#line 5352 "seclang-scanner.cc" while ( /*CONSTCOND*/1 ) /* loops until end-of-file is reached */ { @@ -8484,7 +8484,7 @@ YY_RULE_SETUP #line 1350 "seclang-scanner.ll" ECHO; YY_BREAK -#line 8487 "seclang-scanner.cc" +#line 8488 "seclang-scanner.cc" case YY_END_OF_BUFFER: { diff --git a/src/parser/test.cc b/src/parser/test.cc new file mode 100644 index 000000000..e69de29bb diff --git a/src/utils/sha256.h b/src/utils/sha256.h new file mode 100644 index 000000000..c2353ccb1 --- /dev/null +++ b/src/utils/sha256.h @@ -0,0 +1,34 @@ +#ifndef SRC_UTILS_SHA256_H_ +#define SRC_UTILS_SHA256_H_ + +#include "src/utils/sha1.h" // bringt DigestImpl + detail::ensure_psa_init() +#include + +namespace modsecurity::Utils { + +inline int modsec_psa_sha256(const unsigned char *input, + size_t ilen, + unsigned char output[32]) +{ + if (!detail::ensure_psa_init()) { + return -1; + } + + size_t out_len = 0; + psa_status_t status = psa_hash_compute( + PSA_ALG_SHA_256, + input, + ilen, + output, + 32, + &out_len + ); + + return (status == PSA_SUCCESS && out_len == 32) ? 0 : -1; +} + +class Sha256 : public DigestImpl<&modsec_psa_sha256, 32> {}; + +} // namespace modsecurity::Utils + +#endif // SRC_UTILS_SHA256_H_ diff --git a/test/test-cases/secrules-language-tests b/test/test-cases/secrules-language-tests index a3d4405e5..c6e880236 160000 --- a/test/test-cases/secrules-language-tests +++ b/test/test-cases/secrules-language-tests @@ -1 +1 @@ -Subproject commit a3d4405e5a2c90488c387e589c5534974575e35b +Subproject commit c6e8802366ec3182b8c2612e23d14e19e3545b47 From fba1de54963770c26d5d9b7e86cafb305ff2322b Mon Sep 17 00:00:00 2001 From: jens Date: Sun, 21 Dec 2025 15:31:24 +0100 Subject: [PATCH 06/13] Build working: update submodules and autotools files --- configure.ac | 2 +- others/Makefile.am | 150 +++++++++++++++++++++++++-------------------- src/Makefile.am | 1 - 3 files changed, 85 insertions(+), 68 deletions(-) diff --git a/configure.ac b/configure.ac index 7e862120a..266a12f94 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -/# ModSecurity configure.ac +# ModSecurity configure.ac # Get the hash of the last commit, to be used if it is not an diff --git a/others/Makefile.am b/others/Makefile.am index 493b06ba1..91f6e389c 100644 --- a/others/Makefile.am +++ b/others/Makefile.am @@ -1,5 +1,5 @@ -noinst_LTLIBRARIES = libinjection.la libmbedtls.la libmbedcrypto.la +noinst_LTLIBRARIES = libinjection.la libmbedtls.la libinjection_la_SOURCES = \ libinjection/src/libinjection_html5.c \ @@ -22,74 +22,92 @@ noinst_HEADERS = \ mbedtls/tf-psa-crypto/include/mbedtls/platform.h \ mbedtls/tf-psa-crypto/drivers/builtin/include/mbedtls/private/sha1.h -libmbedtls_la_SOURCES = \ - mbedtls/tf-psa-crypto/drivers/builtin/src/base64.c \ - mbedtls/tf-psa-crypto/drivers/builtin/src/md5.c \ - mbedtls/tf-psa-crypto/drivers/builtin/src/sha1.c \ - mbedtls/tf-psa-crypto/drivers/builtin/src/platform_util.c \ - mbedtls/tf-psa-crypto/drivers/builtin/src/bignum.c \ - mbedtls/tf-psa-crypto/drivers/builtin/src/ccm.c \ - mbedtls/tf-psa-crypto/drivers/builtin/src/cipher.c \ - mbedtls/tf-psa-crypto/drivers/builtin/src/ctr_drbg.c \ - mbedtls/tf-psa-crypto/drivers/builtin/src/ecp.c \ - mbedtls/tf-psa-crypto/drivers/builtin/src/entropy.c \ - mbedtls/tf-psa-crypto/drivers/builtin/src/gcm.c \ - mbedtls/tf-psa-crypto/drivers/builtin/src/rsa.c \ - mbedtls/tf-psa-crypto/core/psa_crypto.c \ - mbedtls/tf-psa-crypto/core/psa_crypto_client.c \ - mbedtls/tf-psa-crypto/core/psa_crypto_slot_management.c \ - mbedtls/tf-psa-crypto/core/psa_crypto_storage.c \ - mbedtls/tf-psa-crypto/core/psa_its_file.c \ - mbedtls/tf-psa-crypto/core/psa_crypto_driver_wrappers_no_static.c - -libmbedcrypto_la_SOURCES = \ - mbedtls/library/mps_reader.c \ - mbedtls/library/mps_trace.c \ - mbedtls/library/net_sockets.c \ - mbedtls/library/pkcs7.c \ - mbedtls/library/ssl_cache.c \ - mbedtls/library/ssl_ciphersuites.c \ - mbedtls/library/ssl_client.c \ - mbedtls/library/ssl_cookie.c \ - mbedtls/library/ssl_msg.c \ - mbedtls/library/ssl_ticket.c \ - mbedtls/library/ssl_tls.c \ - mbedtls/library/ssl_tls12_client.c \ - mbedtls/library/ssl_tls12_server.c \ - mbedtls/library/ssl_tls13_client.c \ - mbedtls/library/ssl_tls13_generic.c \ - mbedtls/library/ssl_tls13_keys.c \ - mbedtls/library/ssl_tls13_server.c \ - mbedtls/library/timing.c \ - mbedtls/library/version.c \ - mbedtls/library/x509.c \ - mbedtls/library/x509_create.c \ - mbedtls/library/x509_crl.c \ - mbedtls/library/x509_crt.c \ - mbedtls/library/x509_csr.c \ - mbedtls/library/x509_oid.c \ - mbedtls/library/x509write.c \ - mbedtls/library/x509write_crt.c \ - mbedtls/library/x509write_csr.c +MBED_PSA_CORE_SOURCES = \ + mbedtls/tf-psa-crypto/core/psa_crypto.c \ + mbedtls/tf-psa-crypto/core/psa_crypto_client.c \ + mbedtls/tf-psa-crypto/core/psa_crypto_slot_management.c \ + mbedtls/tf-psa-crypto/core/psa_crypto_storage.c \ + mbedtls/tf-psa-crypto/core/psa_its_file.c \ + mbedtls/tf-psa-crypto/core/psa_crypto_driver_wrappers_no_static.c +MBED_BUILTIN_SOURCES = \ + mbedtls/tf-psa-crypto/drivers/builtin/src/aes.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/aesce.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/aesni.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/aria.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/asn1parse.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/asn1write.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/base64.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/bignum.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/bignum_core.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/bignum_mod.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/bignum_mod_raw.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/block_cipher.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/camellia.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/ccm.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/chacha20.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/chachapoly.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/cipher.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/cipher_wrap.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/cmac.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/constant_time.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/ctr_drbg.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/ecdh.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/ecdsa.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/ecjpake.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/ecp.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/ecp_curves.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/ecp_curves_new.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/entropy.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/entropy_poll.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/gcm.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/hmac_drbg.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/md.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/md5.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/memory_buffer_alloc.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/nist_kw.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/oid.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/pem.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/pk.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/pk_ecc.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/pk_rsa.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/pk_wrap.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/pkcs5.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/pkparse.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/pkwrite.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/platform.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/platform_util.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/poly1305.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/psa_crypto_aead.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/psa_crypto_cipher.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/psa_crypto_ecp.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/psa_crypto_ffdh.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/psa_crypto_hash.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/psa_crypto_mac.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/psa_crypto_pake.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/psa_crypto_rsa.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/psa_util.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/ripemd160.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/rsa.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/rsa_alt_helpers.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/sha1.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/sha256.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/sha3.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/sha512.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/threading.c +libmbedtls_la_SOURCES = \ + $(MBED_PSA_CORE_SOURCES) \ + $(MBED_BUILTIN_SOURCES) -libmbedtls_la_CFLAGS = -DMBEDTLS_CONFIG_FILE=\"mbedtls/mbedtls_config.h\" -I$(top_srcdir)/others/mbedtls/include \ - -I$(top_srcdir)/others/mbedtls/tf-psa-crypto/include \ - -I$(top_srcdir)/others/mbedtls/tf-psa-crypto/drivers/builtin/include \ - -I$(top_srcdir)/others/mbedtls/tf-psa-crypto/core \ - -I$(top_srcdir)/others/mbedtls/include \ - -I$(top_srcdir)/others/mbedtls/tf-psa-crypto/drivers/builtin/src -libmbedcrypto_la_CPPFLAGS = \ - -DMBEDTLS_CONFIG_FILE=\"mbedtls/mbedtls_config.h\" \ - -I$(top_srcdir)/others/mbedtls/include \ - -I$(top_srcdir)/others/mbedtls/tf-psa-crypto/include \ - -I$(top_srcdir)/others/mbedtls/tf-psa-crypto/drivers/builtin/include \ - -I$(top_srcdir)/others/mbedtls/tf-psa-crypto/drivers/builtin/src \ - -I$(top_srcdir)/others/mbedtls/tf-psa-crypto/core +libmbedtls_la_CPPFLAGS = \ + -DMBEDTLS_CONFIG_FILE=\"mbedtls/mbedtls_config.h\" \ + -I$(top_srcdir)/others/mbedtls/include \ + -I$(top_srcdir)/others/mbedtls/tf-psa-crypto/include \ + -I$(top_srcdir)/others/mbedtls/tf-psa-crypto/core \ + -I$(top_srcdir)/others/mbedtls/tf-psa-crypto/drivers/builtin/include \ + -I$(top_srcdir)/others/mbedtls/tf-psa-crypto/drivers/builtin/src -libmbedtls_la_CPPFLAGS = +#libmbedtls_la_CPPFLAGS = libmbedtls_la_LIBADD = -#libmbedcrypto_la_CPPFLAGS = -#libmbedcrypto_la_LIBADD = diff --git a/src/Makefile.am b/src/Makefile.am index 2ec0e5be3..14c26697b 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -338,7 +338,6 @@ libmodsecurity_la_LIBADD = \ $(LUA_LDADD) \ ../others/libinjection.la \ ../others/libmbedtls.la \ - ../others/libmbedcrypto.la \ $(PCRE_LDADD) \ $(PCRE2_LDADD) \ $(MAXMIND_LDADD) \ From a6a3a3d4e7dc16f8b35b7b6c64d6a51d9f4cb396 Mon Sep 17 00:00:00 2001 From: jens Date: Thu, 25 Dec 2025 13:31:01 +0100 Subject: [PATCH 07/13] auto-generate psa_crypto_driver_wrappers.h during build --- build.sh | 28 ++++++++++++++++++++++++++-- 1 file changed, 26 insertions(+), 2 deletions(-) diff --git a/build.sh b/build.sh index 7f47f03c0..072eddf9e 100755 --- a/build.sh +++ b/build.sh @@ -24,6 +24,32 @@ ls -1 \ *.h | tr "\012" " " >> headers.mk cd ../ +############################################################################## +# NEU: psa_crypto_driver_wrappers.h automatisch generieren, Pfad wird gesucht +############################################################################## +echo "[+] Suche nach psa_crypto_driver_wrappers.h …" +if ! find . -maxdepth 10 -type f -name 'psa_crypto_driver_wrappers.h' | grep -q .; then + echo "[+] Datei nicht gefunden, suche nach generate_driver_wrappers.py …" + GEN_SCRIPT=$(find . -maxdepth 10 -type f -name 'generate_driver_wrappers.py' | head -n 1) + + if [ -n "$GEN_SCRIPT" ]; then + GEN_DIR=$(dirname "$GEN_SCRIPT") + echo "[+] Generator-Skript gefunden in: $GEN_DIR" + ( + cd "$GEN_DIR" || exit 1 + # optional: Python-Abhängigkeiten leise installieren + python3 -m pip install --user jinja2 jsonschema >/dev/null 2>&1 || true + echo "[+] Starte: python3 $(basename "$GEN_SCRIPT")" + python3 "$(basename "$GEN_SCRIPT")" + ) + else + echo "[!] Kein generate_driver_wrappers.py gefunden – Schritt wird übersprungen." + fi +else + echo "[+] psa_crypto_driver_wrappers.h existiert bereits, nichts zu tun." +fi +############################################################################## + case `uname` in Darwin*) glibtoolize --force --copy ;; *) libtoolize --force --copy ;; esac autoreconf --install @@ -31,5 +57,3 @@ autoheader automake --add-missing --foreign --copy --force-missing autoconf --force rm -rf autom4te.cache - - From e2018dc4a3740534cefc44c59aeaccf34c06b1c0 Mon Sep 17 00:00:00 2001 From: jens Date: Tue, 27 Jan 2026 11:00:57 +0100 Subject: [PATCH 08/13] Change comments from German to English and reset seclang-scanner.cc --- build.sh | 24 ++++++++++-------------- src/parser/seclang-scanner.cc | 10 +++++----- src/utils/md5.h | 6 +++--- src/utils/sha1.h | 10 +++++----- src/utils/sha256.h | 2 +- 5 files changed, 24 insertions(+), 28 deletions(-) mode change 100755 => 100644 build.sh diff --git a/build.sh b/build.sh old mode 100755 new mode 100644 index 072eddf9e..59fbda2a7 --- a/build.sh +++ b/build.sh @@ -1,8 +1,6 @@ #!/bin/sh - rm -rf autom4te.cache rm -f aclocal.m4 - cd src rm -f headers.mk echo "noinst_HEADERS = \\" > headers.mk @@ -23,33 +21,31 @@ ls -1 \ engine/*.h \ *.h | tr "\012" " " >> headers.mk cd ../ - ############################################################################## -# NEU: psa_crypto_driver_wrappers.h automatisch generieren, Pfad wird gesucht +# NEW: Automatically generate psa_crypto_driver_wrappers.h, path will be searched ############################################################################## -echo "[+] Suche nach psa_crypto_driver_wrappers.h …" -if ! find . -maxdepth 10 -type f -name 'psa_crypto_driver_wrappers.h' | grep -q .; then - echo "[+] Datei nicht gefunden, suche nach generate_driver_wrappers.py …" +echo "[+] Searching for psa_crypto_driver_wrappers.h …" +if ! find . -maxdepth 10 -type f -name 'psa_crypto_driver_wrappers.h' | grep -q \ +.; then + echo "[+] File not found, searching for generate_driver_wrappers.py …" GEN_SCRIPT=$(find . -maxdepth 10 -type f -name 'generate_driver_wrappers.py' | head -n 1) - if [ -n "$GEN_SCRIPT" ]; then GEN_DIR=$(dirname "$GEN_SCRIPT") - echo "[+] Generator-Skript gefunden in: $GEN_DIR" + echo "[+] Generator script found in: $GEN_DIR" ( cd "$GEN_DIR" || exit 1 - # optional: Python-Abhängigkeiten leise installieren + # optional: silently install Python dependencies python3 -m pip install --user jinja2 jsonschema >/dev/null 2>&1 || true - echo "[+] Starte: python3 $(basename "$GEN_SCRIPT")" + echo "[+] Running: python3 $(basename "$GEN_SCRIPT")" python3 "$(basename "$GEN_SCRIPT")" ) else - echo "[!] Kein generate_driver_wrappers.py gefunden – Schritt wird übersprungen." + echo "[!] No generate_driver_wrappers.py found – skipping this step." fi else - echo "[+] psa_crypto_driver_wrappers.h existiert bereits, nichts zu tun." + echo "[+] psa_crypto_driver_wrappers.h already exists, nothing to do." fi ############################################################################## - case `uname` in Darwin*) glibtoolize --force --copy ;; *) libtoolize --force --copy ;; esac autoreconf --install diff --git a/src/parser/seclang-scanner.cc b/src/parser/seclang-scanner.cc index 0bd06ae66..ddedb290d 100644 --- a/src/parser/seclang-scanner.cc +++ b/src/parser/seclang-scanner.cc @@ -1,5 +1,5 @@ -#line 3 "seclang-scanner.cc" +#line 2 "seclang-scanner.cc" #define YY_INT_ALIGNED short int @@ -5017,7 +5017,7 @@ static std::stack YY_PREVIOUS_STATE; #define BEGIN_PREVIOUS() { BEGIN(YY_PREVIOUS_STATE.top()); YY_PREVIOUS_STATE.pop(); } // The location of the current token. -#line 5021 "seclang-scanner.cc" +#line 5020 "seclang-scanner.cc" #define YY_NO_INPUT 1 #define YY_NO_UNISTD_H 1 @@ -5025,8 +5025,8 @@ static std::stack YY_PREVIOUS_STATE; // Code run each time a pattern is matched. # define YY_USER_ACTION driver.loc.back()->columns (yyleng); +#line 5028 "seclang-scanner.cc" #line 5029 "seclang-scanner.cc" -#line 5030 "seclang-scanner.cc" #define INITIAL 0 #define EXPECTING_ACTION_PREDICATE_VARIABLE 1 @@ -5348,7 +5348,7 @@ YY_DECL // Code run each time yylex is called. driver.loc.back()->step(); -#line 5352 "seclang-scanner.cc" +#line 5351 "seclang-scanner.cc" while ( /*CONSTCOND*/1 ) /* loops until end-of-file is reached */ { @@ -8484,7 +8484,7 @@ YY_RULE_SETUP #line 1350 "seclang-scanner.ll" ECHO; YY_BREAK -#line 8488 "seclang-scanner.cc" +#line 8487 "seclang-scanner.cc" case YY_END_OF_BUFFER: { diff --git a/src/utils/md5.h b/src/utils/md5.h index 55998ea65..c9298ffea 100644 --- a/src/utils/md5.h +++ b/src/utils/md5.h @@ -8,14 +8,14 @@ #ifndef SRC_UTILS_MD5_H_ #define SRC_UTILS_MD5_H_ -#include "src/utils/sha1.h" // nutzt DigestImpl + detail::ensure_psa_init() +#include "src/utils/sha1.h" // uses DigestImpl + detail::ensure_psa_init() #include -#include // optional (weil sha1.h es schon inkludiert), aber ok +#include // optional (since sha1.h already includes it), but ok namespace modsecurity::Utils { -// PSA-Wrapper mit alter Signatur +// PSA wrapper with legacy signature inline int modsec_psa_md5(const unsigned char *input, size_t ilen, unsigned char output[16]) diff --git a/src/utils/sha1.h b/src/utils/sha1.h index 623161256..7737dd901 100644 --- a/src/utils/sha1.h +++ b/src/utils/sha1.h @@ -14,14 +14,14 @@ #include "src/utils/string.h" -// PSA statt mbedtls/sha1.h +// PSA instead of mbedtls/sha1.h #include namespace modsecurity::Utils { using DigestOp = int (*)(const unsigned char *, size_t, unsigned char []); -// Gemeinsamer, thread-sicherer PSA-Init für alle Digests +// Shared, thread-safe PSA initialization for all digests namespace detail { inline bool ensure_psa_init() { static std::once_flag once; @@ -70,9 +70,9 @@ class DigestImpl { digest ); - // NEW: kein assert-only; in Release sonst potentiell UB. + // NEW: not assert-only; otherwise potential UB in release builds. if (ret != 0) { - return convertOp(std::string_view{}); // leerer Digest signalisiert Fehler + return convertOp(std::string_view{}); // empty digest signals error } return convertOp(std::string_view( @@ -82,7 +82,7 @@ class DigestImpl { }; -// PSA-Wrapper mit alter Signatur +// PSA wrapper with legacy signature inline int modsec_psa_sha1(const unsigned char *input, size_t ilen, unsigned char output[20]) diff --git a/src/utils/sha256.h b/src/utils/sha256.h index c2353ccb1..abf85b705 100644 --- a/src/utils/sha256.h +++ b/src/utils/sha256.h @@ -1,7 +1,7 @@ #ifndef SRC_UTILS_SHA256_H_ #define SRC_UTILS_SHA256_H_ -#include "src/utils/sha1.h" // bringt DigestImpl + detail::ensure_psa_init() +#include "src/utils/sha1.h" // provides DigestImpl + detail::ensure_psa_init() #include namespace modsecurity::Utils { From f506395f81298da2c691ca59148a9eceb3018d23 Mon Sep 17 00:00:00 2001 From: jens Date: Tue, 27 Jan 2026 12:26:02 +0100 Subject: [PATCH 09/13] Modernize SHA1 implementation: std::byte, std::array, safer casts --- src/utils/sha1.h | 101 ++++++++++++++++++++++++++--------------------- 1 file changed, 57 insertions(+), 44 deletions(-) diff --git a/src/utils/sha1.h b/src/utils/sha1.h index 7737dd901..cc70fbc75 100644 --- a/src/utils/sha1.h +++ b/src/utils/sha1.h @@ -8,9 +8,14 @@ #ifndef SRC_UTILS_SHA1_H_ #define SRC_UTILS_SHA1_H_ +#include +#include // std::byte +#include // std::memcpy +#include // std::once_flag, std::call_once +#include #include #include -#include // NEW: std::once_flag, std::call_once +#include #include "src/utils/string.h" @@ -19,89 +24,97 @@ namespace modsecurity::Utils { -using DigestOp = int (*)(const unsigned char *, size_t, unsigned char []); +// Digest operation: takes input bytes and writes DigestSize bytes to output. +template +using DigestOp = int (*)(std::span input, + std::span output); -// Shared, thread-safe PSA initialization for all digests +// Shared, thread-safe PSA initialization for all digests. namespace detail { + inline bool ensure_psa_init() { static std::once_flag once; static psa_status_t init_status = PSA_ERROR_GENERIC_ERROR; - std::call_once(once, []() { - init_status = psa_crypto_init(); - }); + std::call_once(once, []() { init_status = psa_crypto_init(); }); return init_status == PSA_SUCCESS; } -} // namespace detail +inline std::span to_bytes(std::string_view s) noexcept { + const std::span chars{s.data(), s.size()}; + return std::as_bytes(chars); +} + +} // namespace detail -template +template class DigestImpl { public: static std::string digest(const std::string& input) { - return digestHelper(input, [](std::string_view digest) { - return std::string(digest); - }); + return digestHelper(input, [](std::string_view d) { return std::string{d}; }); } static void digestReplace(std::string& value) { - digestHelper(value, [&value](std::string_view digest) mutable { - value.assign(digest.data(), digest.size()); - }); + value = digest(value); } - static std::string hexdigest(const std::string &input) { - return digestHelper(input, [](std::string_view digest) { - return utils::string::string_to_hex(digest); + static std::string hexdigest(const std::string& input) { + return digestHelper(input, [](std::string_view d) { + return utils::string::string_to_hex(d); }); } private: - template - static auto digestHelper(const std::string &input, ConvertOp convertOp) + template + static auto digestHelper(const std::string& input, ConvertOp convertOp) -> decltype(convertOp(std::string_view{})) { - unsigned char digest[DigestSize]; - - const int ret = (*digestOp)( - reinterpret_cast(input.data()), - input.size(), - digest - ); + std::array digest_bytes{}; - // NEW: not assert-only; otherwise potential UB in release builds. - if (ret != 0) { - return convertOp(std::string_view{}); // empty digest signals error + if (DigestFn(detail::to_bytes(input), + std::span{digest_bytes}) != 0) { + // Empty digest signals an error. + return convertOp(std::string_view{}); } - return convertOp(std::string_view( - reinterpret_cast(digest), DigestSize - )); + // Convert byte array to a binary std::string without pointer punning. + std::string raw(DigestSize, '\0'); + std::memcpy(raw.data(), digest_bytes.data(), DigestSize); + + return convertOp(std::string_view{raw}); } }; - -// PSA wrapper with legacy signature -inline int modsec_psa_sha1(const unsigned char *input, - size_t ilen, - unsigned char output[20]) -{ +// PSA wrapper for SHA-1 (legacy-friendly error convention: 0 = success, non-zero = error). +inline int modsec_psa_sha1(std::span input, + std::span output) { if (!detail::ensure_psa_init()) { return -1; } + // psa_hash_compute uses uint8_t; copy to avoid unsafe casts. + std::vector input_u8(input.size()); + std::memcpy(input_u8.data(), input.data(), input.size()); + + std::array output_u8{}; size_t out_len = 0; - psa_status_t status = psa_hash_compute( + + const auto status = psa_hash_compute( PSA_ALG_SHA_1, - input, - ilen, - output, - 20, + input_u8.data(), + input_u8.size(), + output_u8.data(), + output_u8.size(), &out_len ); - return (status == PSA_SUCCESS && out_len == 20) ? 0 : -1; + if (status != PSA_SUCCESS || out_len != output_u8.size()) { + return -1; + } + + std::memcpy(output.data(), output_u8.data(), output_u8.size()); + return 0; } class Sha1 : public DigestImpl<&modsec_psa_sha1, 20> {}; From c4ba2dfcae5d3179eddf0d8a52558c80a7d1798a Mon Sep 17 00:00:00 2001 From: jens Date: Tue, 27 Jan 2026 12:32:25 +0100 Subject: [PATCH 10/13] Fix build script permissions --- build.sh | 0 1 file changed, 0 insertions(+), 0 deletions(-) mode change 100644 => 100755 build.sh diff --git a/build.sh b/build.sh old mode 100644 new mode 100755 From 795cf67cb84fcbb46e5648967c75c4d1607a2b8b Mon Sep 17 00:00:00 2001 From: Easton97-Jens <66330090+Easton97-Jens@users.noreply.github.com> Date: Tue, 27 Jan 2026 19:05:57 +0100 Subject: [PATCH 11/13] Delete src/parser/test.cc --- src/parser/test.cc | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 src/parser/test.cc diff --git a/src/parser/test.cc b/src/parser/test.cc deleted file mode 100644 index e69de29bb..000000000 From d127722331c06e26505a919c85e8b8c7147f9e3c Mon Sep 17 00:00:00 2001 From: jens Date: Tue, 27 Jan 2026 20:44:19 +0100 Subject: [PATCH 12/13] Restore original ModSecurity license header --- src/utils/md5.h | 12 ++++++++++-- src/utils/sha1.h | 12 ++++++++++-- src/utils/sha256.h | 16 ++++++++++++++++ 3 files changed, 36 insertions(+), 4 deletions(-) diff --git a/src/utils/md5.h b/src/utils/md5.h index c9298ffea..834039cc3 100644 --- a/src/utils/md5.h +++ b/src/utils/md5.h @@ -1,8 +1,16 @@ /* * ModSecurity, http://www.modsecurity.org/ - * Copyright (c) 2015 - 2021 Trustwave Holdings, Inc. + * Copyright (c) 2015 - 2021 Trustwave Holdings, Inc. (http://www.trustwave.com/) + * + * You may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * If any of the files related to licensing are missing or if you have any + * other questions related to licensing please contact Trustwave Holdings, Inc. + * directly using the email address security@modsecurity.org. * - * Licensed under the Apache License, Version 2.0 */ #ifndef SRC_UTILS_MD5_H_ diff --git a/src/utils/sha1.h b/src/utils/sha1.h index cc70fbc75..2df3d3822 100644 --- a/src/utils/sha1.h +++ b/src/utils/sha1.h @@ -1,8 +1,16 @@ /* * ModSecurity, http://www.modsecurity.org/ - * Copyright (c) 2015 - 2021 Trustwave Holdings, Inc. + * Copyright (c) 2015 - 2021 Trustwave Holdings, Inc. (http://www.trustwave.com/) + * + * You may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * If any of the files related to licensing are missing or if you have any + * other questions related to licensing please contact Trustwave Holdings, Inc. + * directly using the email address security@modsecurity.org. * - * Licensed under the Apache License, Version 2.0 */ #ifndef SRC_UTILS_SHA1_H_ diff --git a/src/utils/sha256.h b/src/utils/sha256.h index abf85b705..401c8aa34 100644 --- a/src/utils/sha256.h +++ b/src/utils/sha256.h @@ -1,3 +1,19 @@ +/* + * ModSecurity, http://www.modsecurity.org/ + * Copyright (c) 2015 - 2021 Trustwave Holdings, Inc. (http://www.trustwave.com/) + * + * You may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * If any of the files related to licensing are missing or if you have any + * other questions related to licensing please contact Trustwave Holdings, Inc. + * directly using the email address security@modsecurity.org. + * + */ + + #ifndef SRC_UTILS_SHA256_H_ #define SRC_UTILS_SHA256_H_ From d67bf140bc100ca7e6f3d25a46958c050b645a62 Mon Sep 17 00:00:00 2001 From: jens Date: Tue, 27 Jan 2026 21:23:12 +0100 Subject: [PATCH 13/13] Fix SHA1/MD5 digest helpers to be C++17-compatible --- src/utils/sha1.h | 79 ++++++++++++++++++++---------------------------- 1 file changed, 33 insertions(+), 46 deletions(-) diff --git a/src/utils/sha1.h b/src/utils/sha1.h index 2df3d3822..3c9ee6955 100644 --- a/src/utils/sha1.h +++ b/src/utils/sha1.h @@ -17,29 +17,20 @@ #define SRC_UTILS_SHA1_H_ #include -#include // std::byte -#include // std::memcpy -#include // std::once_flag, std::call_once -#include +#include +#include +#include #include #include -#include #include "src/utils/string.h" - -// PSA instead of mbedtls/sha1.h #include namespace modsecurity::Utils { -// Digest operation: takes input bytes and writes DigestSize bytes to output. -template -using DigestOp = int (*)(std::span input, - std::span output); - -// Shared, thread-safe PSA initialization for all digests. namespace detail { +// Thread-safe PSA initialization shared by all digests inline bool ensure_psa_init() { static std::once_flag once; static psa_status_t init_status = PSA_ERROR_GENERIC_ERROR; @@ -49,18 +40,22 @@ inline bool ensure_psa_init() { return init_status == PSA_SUCCESS; } -inline std::span to_bytes(std::string_view s) noexcept { - const std::span chars{s.data(), s.size()}; - return std::as_bytes(chars); -} - } // namespace detail +// C-friendly digest function signature (matches legacy wrappers like modsec_psa_md5) +template +using DigestOp = int (*)(const unsigned char* input, + std::size_t input_len, + unsigned char* output); + +// Generic digest implementation template class DigestImpl { public: static std::string digest(const std::string& input) { - return digestHelper(input, [](std::string_view d) { return std::string{d}; }); + return digestHelper(input, [](std::string_view d) { + return std::string{d}; + }); } static void digestReplace(std::string& value) { @@ -78,51 +73,42 @@ class DigestImpl { static auto digestHelper(const std::string& input, ConvertOp convertOp) -> decltype(convertOp(std::string_view{})) { - std::array digest_bytes{}; + std::array out{}; + const std::string_view sv{input}; - if (DigestFn(detail::to_bytes(input), - std::span{digest_bytes}) != 0) { - // Empty digest signals an error. + const auto* in_ptr = + reinterpret_cast(sv.data()); + const std::size_t in_len = sv.size(); + + if (DigestFn(in_ptr, in_len, out.data()) != 0) { return convertOp(std::string_view{}); } - // Convert byte array to a binary std::string without pointer punning. std::string raw(DigestSize, '\0'); - std::memcpy(raw.data(), digest_bytes.data(), DigestSize); - + std::memcpy(raw.data(), out.data(), DigestSize); return convertOp(std::string_view{raw}); } }; -// PSA wrapper for SHA-1 (legacy-friendly error convention: 0 = success, non-zero = error). -inline int modsec_psa_sha1(std::span input, - std::span output) { +// PSA wrapper for SHA-1 (0 = success, non-zero = error) +inline int modsec_psa_sha1(const unsigned char* input, + std::size_t ilen, + unsigned char* output) { if (!detail::ensure_psa_init()) { return -1; } - // psa_hash_compute uses uint8_t; copy to avoid unsafe casts. - std::vector input_u8(input.size()); - std::memcpy(input_u8.data(), input.data(), input.size()); - - std::array output_u8{}; size_t out_len = 0; - - const auto status = psa_hash_compute( + psa_status_t status = psa_hash_compute( PSA_ALG_SHA_1, - input_u8.data(), - input_u8.size(), - output_u8.data(), - output_u8.size(), + input, + ilen, + output, + 20, &out_len ); - if (status != PSA_SUCCESS || out_len != output_u8.size()) { - return -1; - } - - std::memcpy(output.data(), output_u8.data(), output_u8.size()); - return 0; + return (status == PSA_SUCCESS && out_len == 20) ? 0 : -1; } class Sha1 : public DigestImpl<&modsec_psa_sha1, 20> {}; @@ -130,3 +116,4 @@ class Sha1 : public DigestImpl<&modsec_psa_sha1, 20> {}; } // namespace modsecurity::Utils #endif // SRC_UTILS_SHA1_H_ +