From f132bb39e89a84b2e2c477db186025b7fc31b365 Mon Sep 17 00:00:00 2001 From: jens Date: Wed, 17 Dec 2025 10:32:32 +0100 Subject: [PATCH 01/15] Pin mbedtls submodule to v4.0.0 --- others/mbedtls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/others/mbedtls b/others/mbedtls index 2ca6c285a..ec4044008 160000 --- a/others/mbedtls +++ b/others/mbedtls @@ -1 +1 @@ -Subproject commit 2ca6c285a0dd3f33982dd57299012dacab1ff206 +Subproject commit ec4044008d2d069da38288bc76b0fee34ec78646 From ba247543ad48aee172b9352c9cc0c51ba43fbb80 Mon Sep 17 00:00:00 2001 From: jens Date: Wed, 17 Dec 2025 11:22:00 +0100 Subject: [PATCH 02/15] Update all submodules --- others/libinjection | 2 +- test/test-cases/secrules-language-tests | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/others/libinjection b/others/libinjection index b9fcaaf9e..b2d46ec12 160000 --- a/others/libinjection +++ b/others/libinjection @@ -1 +1 @@ -Subproject commit b9fcaaf9e50e9492807b23ffcc6af46ee1f203b9 +Subproject commit b2d46ec124d947d2f82560074e4a348cb15148fc diff --git a/test/test-cases/secrules-language-tests b/test/test-cases/secrules-language-tests index a3d4405e5..c6e880236 160000 --- a/test/test-cases/secrules-language-tests +++ b/test/test-cases/secrules-language-tests @@ -1 +1 @@ -Subproject commit a3d4405e5a2c90488c387e589c5534974575e35b +Subproject commit c6e8802366ec3182b8c2612e23d14e19e3545b47 From 812174d17bd24165f4e5bcbf5cc3286a417186b8 Mon Sep 17 00:00:00 2001 From: jens Date: Wed, 17 Dec 2025 11:33:02 +0100 Subject: [PATCH 03/15] Update mbedtl-v4 --- configure.ac | 2 +- others/Makefile.am | 22 ++++++----- src/unique_id.cc | 5 ++- src/utils/md5.h | 46 ++++++++++++++--------- src/utils/sha1.h | 94 ++++++++++++++++++++++++++++++++-------------- 5 files changed, 110 insertions(+), 59 deletions(-) diff --git a/configure.ac b/configure.ac index 7a78bb6c7..1b3879aaf 100644 --- a/configure.ac +++ b/configure.ac @@ -78,7 +78,7 @@ AC_DEFUN([LIBINJECTION_VERSION], m4_esyscmd_s(cd "others/libinjection" && git de AC_SUBST([LIBINJECTION_VERSION]) # Check for Mbed TLS -if ! test -f "${srcdir}/others/mbedtls/library/base64.c"; then +if ! test -f "${srcdir}/others/mbedtls/tf-psa-crypto/drivers/builtin/src/base64.c"; then AC_MSG_ERROR([\ diff --git a/others/Makefile.am b/others/Makefile.am index b102a0330..b8be3af6e 100644 --- a/others/Makefile.am +++ b/others/Makefile.am @@ -15,19 +15,21 @@ noinst_HEADERS = \ libinjection/src/libinjection_sqli.h \ libinjection/src/libinjection_sqli_data.h \ libinjection/src/libinjection_xss.h \ - mbedtls/include/mbedtls/base64.h \ - mbedtls/include/mbedtls/check_config.h \ + mbedtls/tf-psa-crypto/include/mbedtls/base64.h \ + mbedtls/tf-psa-crypto/drivers/builtin/src/check_crypto_config.h \ mbedtls/include/mbedtls/mbedtls_config.h \ - mbedtls/include/mbedtls/md5.h \ - mbedtls/include/mbedtls/platform.h \ - mbedtls/include/mbedtls/sha1.h + mbedtls/tf-psa-crypto/drivers/builtin/include/mbedtls/private/md5.h \ + mbedtls/tf-psa-crypto/include/mbedtls/platform.h \ + mbedtls/tf-psa-crypto/drivers/builtin/include/mbedtls/private/sha1.h libmbedtls_la_SOURCES = \ - mbedtls/library/base64.c \ - mbedtls/library/md5.c \ - mbedtls/library/sha1.c \ - mbedtls/library/platform_util.c + mbedtls/tf-psa-crypto/drivers/builtin/src/base64.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/md5.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/sha1.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/platform_util.c -libmbedtls_la_CFLAGS = -DMBEDTLS_CONFIG_FILE=\"mbedtls/mbedtls_config.h\" -I$(top_srcdir)/others/mbedtls/include +libmbedtls_la_CFLAGS = -DMBEDTLS_CONFIG_FILE=\"mbedtls/mbedtls_config.h\" -I$(top_srcdir)/others/mbedtls/include \ + -I$(top_srcdir)/others/mbedtls/tf-psa-crypto/include -I$(top_srcdir)/others/mbedtls/tf-psa-crypto/drivers/builtin/include \ + -I$(top_srcdir)/others/mbedtls/tf-psa-crypto/core libmbedtls_la_CPPFLAGS = libmbedtls_la_LIBADD = diff --git a/src/unique_id.cc b/src/unique_id.cc index 01075cc54..bf8e4afb8 100644 --- a/src/unique_id.cc +++ b/src/unique_id.cc @@ -56,7 +56,8 @@ #endif #include -#include "src/utils/sha1.h" +/*#include "src/utils/sha1.h"*/ +#include "src/utils/sha256.h" namespace modsecurity { @@ -72,7 +73,7 @@ void UniqueId::fillUniqueId() { data = macAddress + name; - this->uniqueId_str = Utils::Sha1::hexdigest(data); + this->uniqueId_str = Utils::Sha256::hexdigest(data); } // Based on: diff --git a/src/utils/md5.h b/src/utils/md5.h index 68f5d748e..55998ea65 100644 --- a/src/utils/md5.h +++ b/src/utils/md5.h @@ -1,32 +1,44 @@ /* * ModSecurity, http://www.modsecurity.org/ - * Copyright (c) 2015 - 2021 Trustwave Holdings, Inc. (http://www.trustwave.com/) - * - * You may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * If any of the files related to licensing are missing or if you have any - * other questions related to licensing please contact Trustwave Holdings, Inc. - * directly using the email address security@modsecurity.org. + * Copyright (c) 2015 - 2021 Trustwave Holdings, Inc. * + * Licensed under the Apache License, Version 2.0 */ #ifndef SRC_UTILS_MD5_H_ #define SRC_UTILS_MD5_H_ -#include "src/utils/sha1.h" -#include "mbedtls/md5.h" +#include "src/utils/sha1.h" // nutzt DigestImpl + detail::ensure_psa_init() #include -namespace modsecurity::Utils { - +#include // optional (weil sha1.h es schon inkludiert), aber ok -class Md5 : public DigestImpl<&mbedtls_md5, 16> { -}; +namespace modsecurity::Utils { +// PSA-Wrapper mit alter Signatur +inline int modsec_psa_md5(const unsigned char *input, + size_t ilen, + unsigned char output[16]) +{ + if (!detail::ensure_psa_init()) { + return -1; + } + + size_t out_len = 0; + psa_status_t status = psa_hash_compute( + PSA_ALG_MD5, + input, + ilen, + output, + 16, + &out_len + ); + + return (status == PSA_SUCCESS && out_len == 16) ? 0 : -1; +} + +class Md5 : public DigestImpl<&modsec_psa_md5, 16> {}; } // namespace modsecurity::Utils -#endif // SRC_UTILS_MD5_H_ \ No newline at end of file +#endif // SRC_UTILS_MD5_H_ diff --git a/src/utils/sha1.h b/src/utils/sha1.h index a40d7fa1c..623161256 100644 --- a/src/utils/sha1.h +++ b/src/utils/sha1.h @@ -1,74 +1,110 @@ /* * ModSecurity, http://www.modsecurity.org/ - * Copyright (c) 2015 - 2021 Trustwave Holdings, Inc. (http://www.trustwave.com/) - * - * You may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * If any of the files related to licensing are missing or if you have any - * other questions related to licensing please contact Trustwave Holdings, Inc. - * directly using the email address security@modsecurity.org. + * Copyright (c) 2015 - 2021 Trustwave Holdings, Inc. * + * Licensed under the Apache License, Version 2.0 */ #ifndef SRC_UTILS_SHA1_H_ #define SRC_UTILS_SHA1_H_ #include -#include +#include +#include // NEW: std::once_flag, std::call_once #include "src/utils/string.h" -#include "mbedtls/sha1.h" -namespace modsecurity::Utils { +// PSA statt mbedtls/sha1.h +#include +namespace modsecurity::Utils { using DigestOp = int (*)(const unsigned char *, size_t, unsigned char []); +// Gemeinsamer, thread-sicherer PSA-Init für alle Digests +namespace detail { +inline bool ensure_psa_init() { + static std::once_flag once; + static psa_status_t init_status = PSA_ERROR_GENERIC_ERROR; + + std::call_once(once, []() { + init_status = psa_crypto_init(); + }); + + return init_status == PSA_SUCCESS; +} +} // namespace detail + template class DigestImpl { public: - static std::string digest(const std::string& input) { - return digestHelper(input, [](const auto digest) { + return digestHelper(input, [](std::string_view digest) { return std::string(digest); }); } static void digestReplace(std::string& value) { - digestHelper(value, [&value](const auto digest) mutable { - value = digest; + digestHelper(value, [&value](std::string_view digest) mutable { + value.assign(digest.data(), digest.size()); }); } static std::string hexdigest(const std::string &input) { - return digestHelper(input, [](const auto digest) { + return digestHelper(input, [](std::string_view digest) { return utils::string::string_to_hex(digest); }); } -private: - + private: template - static auto digestHelper(const std::string &input, - ConvertOp convertOp) -> auto { - char digest[DigestSize]; + static auto digestHelper(const std::string &input, ConvertOp convertOp) + -> decltype(convertOp(std::string_view{})) { + + unsigned char digest[DigestSize]; + + const int ret = (*digestOp)( + reinterpret_cast(input.data()), + input.size(), + digest + ); - const auto ret = (*digestOp)(reinterpret_cast(input.c_str()), - input.size(), reinterpret_cast(digest)); - assert(ret == 0); + // NEW: kein assert-only; in Release sonst potentiell UB. + if (ret != 0) { + return convertOp(std::string_view{}); // leerer Digest signalisiert Fehler + } - return convertOp(std::string_view(digest, DigestSize)); + return convertOp(std::string_view( + reinterpret_cast(digest), DigestSize + )); } }; -class Sha1 : public DigestImpl<&mbedtls_sha1, 20> { -}; +// PSA-Wrapper mit alter Signatur +inline int modsec_psa_sha1(const unsigned char *input, + size_t ilen, + unsigned char output[20]) +{ + if (!detail::ensure_psa_init()) { + return -1; + } + + size_t out_len = 0; + psa_status_t status = psa_hash_compute( + PSA_ALG_SHA_1, + input, + ilen, + output, + 20, + &out_len + ); + + return (status == PSA_SUCCESS && out_len == 20) ? 0 : -1; +} +class Sha1 : public DigestImpl<&modsec_psa_sha1, 20> {}; } // namespace modsecurity::Utils From 01c3a2f5142546b2dae2d809d87512bc3ff5a123 Mon Sep 17 00:00:00 2001 From: jens Date: Sun, 21 Dec 2025 10:34:06 +0100 Subject: [PATCH 04/15] Revert "Update all submodules" This reverts commit ba247543ad48aee172b9352c9cc0c51ba43fbb80. --- others/libinjection | 2 +- test/test-cases/secrules-language-tests | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/others/libinjection b/others/libinjection index b2d46ec12..b9fcaaf9e 160000 --- a/others/libinjection +++ b/others/libinjection @@ -1 +1 @@ -Subproject commit b2d46ec124d947d2f82560074e4a348cb15148fc +Subproject commit b9fcaaf9e50e9492807b23ffcc6af46ee1f203b9 diff --git a/test/test-cases/secrules-language-tests b/test/test-cases/secrules-language-tests index c6e880236..a3d4405e5 160000 --- a/test/test-cases/secrules-language-tests +++ b/test/test-cases/secrules-language-tests @@ -1 +1 @@ -Subproject commit c6e8802366ec3182b8c2612e23d14e19e3545b47 +Subproject commit a3d4405e5a2c90488c387e589c5534974575e35b From 23e513cf5319a1c764cec6889ecc2a44b02e8442 Mon Sep 17 00:00:00 2001 From: jens Date: Sun, 21 Dec 2025 14:54:05 +0100 Subject: [PATCH 05/15] WIP: intermediate state (mbedtls v4.0.0 and updates) --- configure.ac | 11 +++- others/Makefile.am | 68 +++++++++++++++++++++++-- src/Makefile.am | 1 + src/parser/seclang-scanner.cc | 10 ++-- src/parser/test.cc | 0 src/utils/sha256.h | 34 +++++++++++++ test/test-cases/secrules-language-tests | 2 +- 7 files changed, 115 insertions(+), 11 deletions(-) create mode 100644 src/parser/test.cc create mode 100644 src/utils/sha256.h diff --git a/configure.ac b/configure.ac index 1b3879aaf..7e862120a 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# ModSecurity configure.ac +/# ModSecurity configure.ac # Get the hash of the last commit, to be used if it is not an @@ -374,6 +374,15 @@ case $assertions in esac GLOBAL_CPPFLAGS="$GLOBAL_CPPFLAGS $ASSERTIONS_CPPCFLAGS" +MBEDTLS_CPPFLAGS='-DMBEDTLS_CONFIG_FILE=\"mbedtls/mbedtls_config.h\" \ +-I$(top_srcdir)/others/mbedtls/include \ +-I$(top_srcdir)/others/mbedtls/tf-psa-crypto/include \ +-I$(top_srcdir)/others/mbedtls/tf-psa-crypto/drivers/builtin/include \ +-I$(top_srcdir)/others/mbedtls/include \ +-I$(top_srcdir)/others/mbedtls/tf-psa-crypto/core \ +-I$(top_srcdir)/others/mbedtls/tf-psa-crypto/drivers/builtin/src' +GLOBAL_CPPFLAGS="$GLOBAL_CPPFLAGS $MBEDTLS_CPPFLAGS" + AC_SUBST(GLOBAL_LDADD) AC_SUBST(GLOBAL_CPPFLAGS) diff --git a/others/Makefile.am b/others/Makefile.am index b8be3af6e..493b06ba1 100644 --- a/others/Makefile.am +++ b/others/Makefile.am @@ -1,5 +1,5 @@ -noinst_LTLIBRARIES = libinjection.la libmbedtls.la +noinst_LTLIBRARIES = libinjection.la libmbedtls.la libmbedcrypto.la libinjection_la_SOURCES = \ libinjection/src/libinjection_html5.c \ @@ -26,10 +26,70 @@ libmbedtls_la_SOURCES = \ mbedtls/tf-psa-crypto/drivers/builtin/src/base64.c \ mbedtls/tf-psa-crypto/drivers/builtin/src/md5.c \ mbedtls/tf-psa-crypto/drivers/builtin/src/sha1.c \ - mbedtls/tf-psa-crypto/drivers/builtin/src/platform_util.c + mbedtls/tf-psa-crypto/drivers/builtin/src/platform_util.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/bignum.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/ccm.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/cipher.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/ctr_drbg.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/ecp.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/entropy.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/gcm.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/rsa.c \ + mbedtls/tf-psa-crypto/core/psa_crypto.c \ + mbedtls/tf-psa-crypto/core/psa_crypto_client.c \ + mbedtls/tf-psa-crypto/core/psa_crypto_slot_management.c \ + mbedtls/tf-psa-crypto/core/psa_crypto_storage.c \ + mbedtls/tf-psa-crypto/core/psa_its_file.c \ + mbedtls/tf-psa-crypto/core/psa_crypto_driver_wrappers_no_static.c + +libmbedcrypto_la_SOURCES = \ + mbedtls/library/mps_reader.c \ + mbedtls/library/mps_trace.c \ + mbedtls/library/net_sockets.c \ + mbedtls/library/pkcs7.c \ + mbedtls/library/ssl_cache.c \ + mbedtls/library/ssl_ciphersuites.c \ + mbedtls/library/ssl_client.c \ + mbedtls/library/ssl_cookie.c \ + mbedtls/library/ssl_msg.c \ + mbedtls/library/ssl_ticket.c \ + mbedtls/library/ssl_tls.c \ + mbedtls/library/ssl_tls12_client.c \ + mbedtls/library/ssl_tls12_server.c \ + mbedtls/library/ssl_tls13_client.c \ + mbedtls/library/ssl_tls13_generic.c \ + mbedtls/library/ssl_tls13_keys.c \ + mbedtls/library/ssl_tls13_server.c \ + mbedtls/library/timing.c \ + mbedtls/library/version.c \ + mbedtls/library/x509.c \ + mbedtls/library/x509_create.c \ + mbedtls/library/x509_crl.c \ + mbedtls/library/x509_crt.c \ + mbedtls/library/x509_csr.c \ + mbedtls/library/x509_oid.c \ + mbedtls/library/x509write.c \ + mbedtls/library/x509write_crt.c \ + mbedtls/library/x509write_csr.c + + libmbedtls_la_CFLAGS = -DMBEDTLS_CONFIG_FILE=\"mbedtls/mbedtls_config.h\" -I$(top_srcdir)/others/mbedtls/include \ - -I$(top_srcdir)/others/mbedtls/tf-psa-crypto/include -I$(top_srcdir)/others/mbedtls/tf-psa-crypto/drivers/builtin/include \ - -I$(top_srcdir)/others/mbedtls/tf-psa-crypto/core + -I$(top_srcdir)/others/mbedtls/tf-psa-crypto/include \ + -I$(top_srcdir)/others/mbedtls/tf-psa-crypto/drivers/builtin/include \ + -I$(top_srcdir)/others/mbedtls/tf-psa-crypto/core \ + -I$(top_srcdir)/others/mbedtls/include \ + -I$(top_srcdir)/others/mbedtls/tf-psa-crypto/drivers/builtin/src +libmbedcrypto_la_CPPFLAGS = \ + -DMBEDTLS_CONFIG_FILE=\"mbedtls/mbedtls_config.h\" \ + -I$(top_srcdir)/others/mbedtls/include \ + -I$(top_srcdir)/others/mbedtls/tf-psa-crypto/include \ + -I$(top_srcdir)/others/mbedtls/tf-psa-crypto/drivers/builtin/include \ + -I$(top_srcdir)/others/mbedtls/tf-psa-crypto/drivers/builtin/src \ + -I$(top_srcdir)/others/mbedtls/tf-psa-crypto/core + libmbedtls_la_CPPFLAGS = libmbedtls_la_LIBADD = + +#libmbedcrypto_la_CPPFLAGS = +#libmbedcrypto_la_LIBADD = diff --git a/src/Makefile.am b/src/Makefile.am index 14c26697b..2ec0e5be3 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -338,6 +338,7 @@ libmodsecurity_la_LIBADD = \ $(LUA_LDADD) \ ../others/libinjection.la \ ../others/libmbedtls.la \ + ../others/libmbedcrypto.la \ $(PCRE_LDADD) \ $(PCRE2_LDADD) \ $(MAXMIND_LDADD) \ diff --git a/src/parser/seclang-scanner.cc b/src/parser/seclang-scanner.cc index ddedb290d..0bd06ae66 100644 --- a/src/parser/seclang-scanner.cc +++ b/src/parser/seclang-scanner.cc @@ -1,5 +1,5 @@ -#line 2 "seclang-scanner.cc" +#line 3 "seclang-scanner.cc" #define YY_INT_ALIGNED short int @@ -5017,7 +5017,7 @@ static std::stack YY_PREVIOUS_STATE; #define BEGIN_PREVIOUS() { BEGIN(YY_PREVIOUS_STATE.top()); YY_PREVIOUS_STATE.pop(); } // The location of the current token. -#line 5020 "seclang-scanner.cc" +#line 5021 "seclang-scanner.cc" #define YY_NO_INPUT 1 #define YY_NO_UNISTD_H 1 @@ -5025,8 +5025,8 @@ static std::stack YY_PREVIOUS_STATE; // Code run each time a pattern is matched. # define YY_USER_ACTION driver.loc.back()->columns (yyleng); -#line 5028 "seclang-scanner.cc" #line 5029 "seclang-scanner.cc" +#line 5030 "seclang-scanner.cc" #define INITIAL 0 #define EXPECTING_ACTION_PREDICATE_VARIABLE 1 @@ -5348,7 +5348,7 @@ YY_DECL // Code run each time yylex is called. driver.loc.back()->step(); -#line 5351 "seclang-scanner.cc" +#line 5352 "seclang-scanner.cc" while ( /*CONSTCOND*/1 ) /* loops until end-of-file is reached */ { @@ -8484,7 +8484,7 @@ YY_RULE_SETUP #line 1350 "seclang-scanner.ll" ECHO; YY_BREAK -#line 8487 "seclang-scanner.cc" +#line 8488 "seclang-scanner.cc" case YY_END_OF_BUFFER: { diff --git a/src/parser/test.cc b/src/parser/test.cc new file mode 100644 index 000000000..e69de29bb diff --git a/src/utils/sha256.h b/src/utils/sha256.h new file mode 100644 index 000000000..c2353ccb1 --- /dev/null +++ b/src/utils/sha256.h @@ -0,0 +1,34 @@ +#ifndef SRC_UTILS_SHA256_H_ +#define SRC_UTILS_SHA256_H_ + +#include "src/utils/sha1.h" // bringt DigestImpl + detail::ensure_psa_init() +#include + +namespace modsecurity::Utils { + +inline int modsec_psa_sha256(const unsigned char *input, + size_t ilen, + unsigned char output[32]) +{ + if (!detail::ensure_psa_init()) { + return -1; + } + + size_t out_len = 0; + psa_status_t status = psa_hash_compute( + PSA_ALG_SHA_256, + input, + ilen, + output, + 32, + &out_len + ); + + return (status == PSA_SUCCESS && out_len == 32) ? 0 : -1; +} + +class Sha256 : public DigestImpl<&modsec_psa_sha256, 32> {}; + +} // namespace modsecurity::Utils + +#endif // SRC_UTILS_SHA256_H_ diff --git a/test/test-cases/secrules-language-tests b/test/test-cases/secrules-language-tests index a3d4405e5..c6e880236 160000 --- a/test/test-cases/secrules-language-tests +++ b/test/test-cases/secrules-language-tests @@ -1 +1 @@ -Subproject commit a3d4405e5a2c90488c387e589c5534974575e35b +Subproject commit c6e8802366ec3182b8c2612e23d14e19e3545b47 From fba1de54963770c26d5d9b7e86cafb305ff2322b Mon Sep 17 00:00:00 2001 From: jens Date: Sun, 21 Dec 2025 15:31:24 +0100 Subject: [PATCH 06/15] Build working: update submodules and autotools files --- configure.ac | 2 +- others/Makefile.am | 150 +++++++++++++++++++++++++-------------------- src/Makefile.am | 1 - 3 files changed, 85 insertions(+), 68 deletions(-) diff --git a/configure.ac b/configure.ac index 7e862120a..266a12f94 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -/# ModSecurity configure.ac +# ModSecurity configure.ac # Get the hash of the last commit, to be used if it is not an diff --git a/others/Makefile.am b/others/Makefile.am index 493b06ba1..91f6e389c 100644 --- a/others/Makefile.am +++ b/others/Makefile.am @@ -1,5 +1,5 @@ -noinst_LTLIBRARIES = libinjection.la libmbedtls.la libmbedcrypto.la +noinst_LTLIBRARIES = libinjection.la libmbedtls.la libinjection_la_SOURCES = \ libinjection/src/libinjection_html5.c \ @@ -22,74 +22,92 @@ noinst_HEADERS = \ mbedtls/tf-psa-crypto/include/mbedtls/platform.h \ mbedtls/tf-psa-crypto/drivers/builtin/include/mbedtls/private/sha1.h -libmbedtls_la_SOURCES = \ - mbedtls/tf-psa-crypto/drivers/builtin/src/base64.c \ - mbedtls/tf-psa-crypto/drivers/builtin/src/md5.c \ - mbedtls/tf-psa-crypto/drivers/builtin/src/sha1.c \ - mbedtls/tf-psa-crypto/drivers/builtin/src/platform_util.c \ - mbedtls/tf-psa-crypto/drivers/builtin/src/bignum.c \ - mbedtls/tf-psa-crypto/drivers/builtin/src/ccm.c \ - mbedtls/tf-psa-crypto/drivers/builtin/src/cipher.c \ - mbedtls/tf-psa-crypto/drivers/builtin/src/ctr_drbg.c \ - mbedtls/tf-psa-crypto/drivers/builtin/src/ecp.c \ - mbedtls/tf-psa-crypto/drivers/builtin/src/entropy.c \ - mbedtls/tf-psa-crypto/drivers/builtin/src/gcm.c \ - mbedtls/tf-psa-crypto/drivers/builtin/src/rsa.c \ - mbedtls/tf-psa-crypto/core/psa_crypto.c \ - mbedtls/tf-psa-crypto/core/psa_crypto_client.c \ - mbedtls/tf-psa-crypto/core/psa_crypto_slot_management.c \ - mbedtls/tf-psa-crypto/core/psa_crypto_storage.c \ - mbedtls/tf-psa-crypto/core/psa_its_file.c \ - mbedtls/tf-psa-crypto/core/psa_crypto_driver_wrappers_no_static.c - -libmbedcrypto_la_SOURCES = \ - mbedtls/library/mps_reader.c \ - mbedtls/library/mps_trace.c \ - mbedtls/library/net_sockets.c \ - mbedtls/library/pkcs7.c \ - mbedtls/library/ssl_cache.c \ - mbedtls/library/ssl_ciphersuites.c \ - mbedtls/library/ssl_client.c \ - mbedtls/library/ssl_cookie.c \ - mbedtls/library/ssl_msg.c \ - mbedtls/library/ssl_ticket.c \ - mbedtls/library/ssl_tls.c \ - mbedtls/library/ssl_tls12_client.c \ - mbedtls/library/ssl_tls12_server.c \ - mbedtls/library/ssl_tls13_client.c \ - mbedtls/library/ssl_tls13_generic.c \ - mbedtls/library/ssl_tls13_keys.c \ - mbedtls/library/ssl_tls13_server.c \ - mbedtls/library/timing.c \ - mbedtls/library/version.c \ - mbedtls/library/x509.c \ - mbedtls/library/x509_create.c \ - mbedtls/library/x509_crl.c \ - mbedtls/library/x509_crt.c \ - mbedtls/library/x509_csr.c \ - mbedtls/library/x509_oid.c \ - mbedtls/library/x509write.c \ - mbedtls/library/x509write_crt.c \ - mbedtls/library/x509write_csr.c +MBED_PSA_CORE_SOURCES = \ + mbedtls/tf-psa-crypto/core/psa_crypto.c \ + mbedtls/tf-psa-crypto/core/psa_crypto_client.c \ + mbedtls/tf-psa-crypto/core/psa_crypto_slot_management.c \ + mbedtls/tf-psa-crypto/core/psa_crypto_storage.c \ + mbedtls/tf-psa-crypto/core/psa_its_file.c \ + mbedtls/tf-psa-crypto/core/psa_crypto_driver_wrappers_no_static.c +MBED_BUILTIN_SOURCES = \ + mbedtls/tf-psa-crypto/drivers/builtin/src/aes.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/aesce.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/aesni.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/aria.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/asn1parse.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/asn1write.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/base64.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/bignum.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/bignum_core.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/bignum_mod.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/bignum_mod_raw.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/block_cipher.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/camellia.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/ccm.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/chacha20.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/chachapoly.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/cipher.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/cipher_wrap.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/cmac.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/constant_time.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/ctr_drbg.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/ecdh.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/ecdsa.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/ecjpake.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/ecp.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/ecp_curves.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/ecp_curves_new.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/entropy.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/entropy_poll.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/gcm.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/hmac_drbg.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/md.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/md5.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/memory_buffer_alloc.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/nist_kw.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/oid.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/pem.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/pk.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/pk_ecc.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/pk_rsa.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/pk_wrap.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/pkcs5.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/pkparse.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/pkwrite.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/platform.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/platform_util.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/poly1305.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/psa_crypto_aead.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/psa_crypto_cipher.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/psa_crypto_ecp.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/psa_crypto_ffdh.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/psa_crypto_hash.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/psa_crypto_mac.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/psa_crypto_pake.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/psa_crypto_rsa.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/psa_util.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/ripemd160.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/rsa.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/rsa_alt_helpers.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/sha1.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/sha256.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/sha3.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/sha512.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/threading.c +libmbedtls_la_SOURCES = \ + $(MBED_PSA_CORE_SOURCES) \ + $(MBED_BUILTIN_SOURCES) -libmbedtls_la_CFLAGS = -DMBEDTLS_CONFIG_FILE=\"mbedtls/mbedtls_config.h\" -I$(top_srcdir)/others/mbedtls/include \ - -I$(top_srcdir)/others/mbedtls/tf-psa-crypto/include \ - -I$(top_srcdir)/others/mbedtls/tf-psa-crypto/drivers/builtin/include \ - -I$(top_srcdir)/others/mbedtls/tf-psa-crypto/core \ - -I$(top_srcdir)/others/mbedtls/include \ - -I$(top_srcdir)/others/mbedtls/tf-psa-crypto/drivers/builtin/src -libmbedcrypto_la_CPPFLAGS = \ - -DMBEDTLS_CONFIG_FILE=\"mbedtls/mbedtls_config.h\" \ - -I$(top_srcdir)/others/mbedtls/include \ - -I$(top_srcdir)/others/mbedtls/tf-psa-crypto/include \ - -I$(top_srcdir)/others/mbedtls/tf-psa-crypto/drivers/builtin/include \ - -I$(top_srcdir)/others/mbedtls/tf-psa-crypto/drivers/builtin/src \ - -I$(top_srcdir)/others/mbedtls/tf-psa-crypto/core +libmbedtls_la_CPPFLAGS = \ + -DMBEDTLS_CONFIG_FILE=\"mbedtls/mbedtls_config.h\" \ + -I$(top_srcdir)/others/mbedtls/include \ + -I$(top_srcdir)/others/mbedtls/tf-psa-crypto/include \ + -I$(top_srcdir)/others/mbedtls/tf-psa-crypto/core \ + -I$(top_srcdir)/others/mbedtls/tf-psa-crypto/drivers/builtin/include \ + -I$(top_srcdir)/others/mbedtls/tf-psa-crypto/drivers/builtin/src -libmbedtls_la_CPPFLAGS = +#libmbedtls_la_CPPFLAGS = libmbedtls_la_LIBADD = -#libmbedcrypto_la_CPPFLAGS = -#libmbedcrypto_la_LIBADD = diff --git a/src/Makefile.am b/src/Makefile.am index 2ec0e5be3..14c26697b 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -338,7 +338,6 @@ libmodsecurity_la_LIBADD = \ $(LUA_LDADD) \ ../others/libinjection.la \ ../others/libmbedtls.la \ - ../others/libmbedcrypto.la \ $(PCRE_LDADD) \ $(PCRE2_LDADD) \ $(MAXMIND_LDADD) \ From a6a3a3d4e7dc16f8b35b7b6c64d6a51d9f4cb396 Mon Sep 17 00:00:00 2001 From: jens Date: Thu, 25 Dec 2025 13:31:01 +0100 Subject: [PATCH 07/15] auto-generate psa_crypto_driver_wrappers.h during build --- build.sh | 28 ++++++++++++++++++++++++++-- 1 file changed, 26 insertions(+), 2 deletions(-) diff --git a/build.sh b/build.sh index 7f47f03c0..072eddf9e 100755 --- a/build.sh +++ b/build.sh @@ -24,6 +24,32 @@ ls -1 \ *.h | tr "\012" " " >> headers.mk cd ../ +############################################################################## +# NEU: psa_crypto_driver_wrappers.h automatisch generieren, Pfad wird gesucht +############################################################################## +echo "[+] Suche nach psa_crypto_driver_wrappers.h …" +if ! find . -maxdepth 10 -type f -name 'psa_crypto_driver_wrappers.h' | grep -q .; then + echo "[+] Datei nicht gefunden, suche nach generate_driver_wrappers.py …" + GEN_SCRIPT=$(find . -maxdepth 10 -type f -name 'generate_driver_wrappers.py' | head -n 1) + + if [ -n "$GEN_SCRIPT" ]; then + GEN_DIR=$(dirname "$GEN_SCRIPT") + echo "[+] Generator-Skript gefunden in: $GEN_DIR" + ( + cd "$GEN_DIR" || exit 1 + # optional: Python-Abhängigkeiten leise installieren + python3 -m pip install --user jinja2 jsonschema >/dev/null 2>&1 || true + echo "[+] Starte: python3 $(basename "$GEN_SCRIPT")" + python3 "$(basename "$GEN_SCRIPT")" + ) + else + echo "[!] Kein generate_driver_wrappers.py gefunden – Schritt wird übersprungen." + fi +else + echo "[+] psa_crypto_driver_wrappers.h existiert bereits, nichts zu tun." +fi +############################################################################## + case `uname` in Darwin*) glibtoolize --force --copy ;; *) libtoolize --force --copy ;; esac autoreconf --install @@ -31,5 +57,3 @@ autoheader automake --add-missing --foreign --copy --force-missing autoconf --force rm -rf autom4te.cache - - From e2018dc4a3740534cefc44c59aeaccf34c06b1c0 Mon Sep 17 00:00:00 2001 From: jens Date: Tue, 27 Jan 2026 11:00:57 +0100 Subject: [PATCH 08/15] Change comments from German to English and reset seclang-scanner.cc --- build.sh | 24 ++++++++++-------------- src/parser/seclang-scanner.cc | 10 +++++----- src/utils/md5.h | 6 +++--- src/utils/sha1.h | 10 +++++----- src/utils/sha256.h | 2 +- 5 files changed, 24 insertions(+), 28 deletions(-) mode change 100755 => 100644 build.sh diff --git a/build.sh b/build.sh old mode 100755 new mode 100644 index 072eddf9e..59fbda2a7 --- a/build.sh +++ b/build.sh @@ -1,8 +1,6 @@ #!/bin/sh - rm -rf autom4te.cache rm -f aclocal.m4 - cd src rm -f headers.mk echo "noinst_HEADERS = \\" > headers.mk @@ -23,33 +21,31 @@ ls -1 \ engine/*.h \ *.h | tr "\012" " " >> headers.mk cd ../ - ############################################################################## -# NEU: psa_crypto_driver_wrappers.h automatisch generieren, Pfad wird gesucht +# NEW: Automatically generate psa_crypto_driver_wrappers.h, path will be searched ############################################################################## -echo "[+] Suche nach psa_crypto_driver_wrappers.h …" -if ! find . -maxdepth 10 -type f -name 'psa_crypto_driver_wrappers.h' | grep -q .; then - echo "[+] Datei nicht gefunden, suche nach generate_driver_wrappers.py …" +echo "[+] Searching for psa_crypto_driver_wrappers.h …" +if ! find . -maxdepth 10 -type f -name 'psa_crypto_driver_wrappers.h' | grep -q \ +.; then + echo "[+] File not found, searching for generate_driver_wrappers.py …" GEN_SCRIPT=$(find . -maxdepth 10 -type f -name 'generate_driver_wrappers.py' | head -n 1) - if [ -n "$GEN_SCRIPT" ]; then GEN_DIR=$(dirname "$GEN_SCRIPT") - echo "[+] Generator-Skript gefunden in: $GEN_DIR" + echo "[+] Generator script found in: $GEN_DIR" ( cd "$GEN_DIR" || exit 1 - # optional: Python-Abhängigkeiten leise installieren + # optional: silently install Python dependencies python3 -m pip install --user jinja2 jsonschema >/dev/null 2>&1 || true - echo "[+] Starte: python3 $(basename "$GEN_SCRIPT")" + echo "[+] Running: python3 $(basename "$GEN_SCRIPT")" python3 "$(basename "$GEN_SCRIPT")" ) else - echo "[!] Kein generate_driver_wrappers.py gefunden – Schritt wird übersprungen." + echo "[!] No generate_driver_wrappers.py found – skipping this step." fi else - echo "[+] psa_crypto_driver_wrappers.h existiert bereits, nichts zu tun." + echo "[+] psa_crypto_driver_wrappers.h already exists, nothing to do." fi ############################################################################## - case `uname` in Darwin*) glibtoolize --force --copy ;; *) libtoolize --force --copy ;; esac autoreconf --install diff --git a/src/parser/seclang-scanner.cc b/src/parser/seclang-scanner.cc index 0bd06ae66..ddedb290d 100644 --- a/src/parser/seclang-scanner.cc +++ b/src/parser/seclang-scanner.cc @@ -1,5 +1,5 @@ -#line 3 "seclang-scanner.cc" +#line 2 "seclang-scanner.cc" #define YY_INT_ALIGNED short int @@ -5017,7 +5017,7 @@ static std::stack YY_PREVIOUS_STATE; #define BEGIN_PREVIOUS() { BEGIN(YY_PREVIOUS_STATE.top()); YY_PREVIOUS_STATE.pop(); } // The location of the current token. -#line 5021 "seclang-scanner.cc" +#line 5020 "seclang-scanner.cc" #define YY_NO_INPUT 1 #define YY_NO_UNISTD_H 1 @@ -5025,8 +5025,8 @@ static std::stack YY_PREVIOUS_STATE; // Code run each time a pattern is matched. # define YY_USER_ACTION driver.loc.back()->columns (yyleng); +#line 5028 "seclang-scanner.cc" #line 5029 "seclang-scanner.cc" -#line 5030 "seclang-scanner.cc" #define INITIAL 0 #define EXPECTING_ACTION_PREDICATE_VARIABLE 1 @@ -5348,7 +5348,7 @@ YY_DECL // Code run each time yylex is called. driver.loc.back()->step(); -#line 5352 "seclang-scanner.cc" +#line 5351 "seclang-scanner.cc" while ( /*CONSTCOND*/1 ) /* loops until end-of-file is reached */ { @@ -8484,7 +8484,7 @@ YY_RULE_SETUP #line 1350 "seclang-scanner.ll" ECHO; YY_BREAK -#line 8488 "seclang-scanner.cc" +#line 8487 "seclang-scanner.cc" case YY_END_OF_BUFFER: { diff --git a/src/utils/md5.h b/src/utils/md5.h index 55998ea65..c9298ffea 100644 --- a/src/utils/md5.h +++ b/src/utils/md5.h @@ -8,14 +8,14 @@ #ifndef SRC_UTILS_MD5_H_ #define SRC_UTILS_MD5_H_ -#include "src/utils/sha1.h" // nutzt DigestImpl + detail::ensure_psa_init() +#include "src/utils/sha1.h" // uses DigestImpl + detail::ensure_psa_init() #include -#include // optional (weil sha1.h es schon inkludiert), aber ok +#include // optional (since sha1.h already includes it), but ok namespace modsecurity::Utils { -// PSA-Wrapper mit alter Signatur +// PSA wrapper with legacy signature inline int modsec_psa_md5(const unsigned char *input, size_t ilen, unsigned char output[16]) diff --git a/src/utils/sha1.h b/src/utils/sha1.h index 623161256..7737dd901 100644 --- a/src/utils/sha1.h +++ b/src/utils/sha1.h @@ -14,14 +14,14 @@ #include "src/utils/string.h" -// PSA statt mbedtls/sha1.h +// PSA instead of mbedtls/sha1.h #include namespace modsecurity::Utils { using DigestOp = int (*)(const unsigned char *, size_t, unsigned char []); -// Gemeinsamer, thread-sicherer PSA-Init für alle Digests +// Shared, thread-safe PSA initialization for all digests namespace detail { inline bool ensure_psa_init() { static std::once_flag once; @@ -70,9 +70,9 @@ class DigestImpl { digest ); - // NEW: kein assert-only; in Release sonst potentiell UB. + // NEW: not assert-only; otherwise potential UB in release builds. if (ret != 0) { - return convertOp(std::string_view{}); // leerer Digest signalisiert Fehler + return convertOp(std::string_view{}); // empty digest signals error } return convertOp(std::string_view( @@ -82,7 +82,7 @@ class DigestImpl { }; -// PSA-Wrapper mit alter Signatur +// PSA wrapper with legacy signature inline int modsec_psa_sha1(const unsigned char *input, size_t ilen, unsigned char output[20]) diff --git a/src/utils/sha256.h b/src/utils/sha256.h index c2353ccb1..abf85b705 100644 --- a/src/utils/sha256.h +++ b/src/utils/sha256.h @@ -1,7 +1,7 @@ #ifndef SRC_UTILS_SHA256_H_ #define SRC_UTILS_SHA256_H_ -#include "src/utils/sha1.h" // bringt DigestImpl + detail::ensure_psa_init() +#include "src/utils/sha1.h" // provides DigestImpl + detail::ensure_psa_init() #include namespace modsecurity::Utils { From f506395f81298da2c691ca59148a9eceb3018d23 Mon Sep 17 00:00:00 2001 From: jens Date: Tue, 27 Jan 2026 12:26:02 +0100 Subject: [PATCH 09/15] Modernize SHA1 implementation: std::byte, std::array, safer casts --- src/utils/sha1.h | 101 ++++++++++++++++++++++++++--------------------- 1 file changed, 57 insertions(+), 44 deletions(-) diff --git a/src/utils/sha1.h b/src/utils/sha1.h index 7737dd901..cc70fbc75 100644 --- a/src/utils/sha1.h +++ b/src/utils/sha1.h @@ -8,9 +8,14 @@ #ifndef SRC_UTILS_SHA1_H_ #define SRC_UTILS_SHA1_H_ +#include +#include // std::byte +#include // std::memcpy +#include // std::once_flag, std::call_once +#include #include #include -#include // NEW: std::once_flag, std::call_once +#include #include "src/utils/string.h" @@ -19,89 +24,97 @@ namespace modsecurity::Utils { -using DigestOp = int (*)(const unsigned char *, size_t, unsigned char []); +// Digest operation: takes input bytes and writes DigestSize bytes to output. +template +using DigestOp = int (*)(std::span input, + std::span output); -// Shared, thread-safe PSA initialization for all digests +// Shared, thread-safe PSA initialization for all digests. namespace detail { + inline bool ensure_psa_init() { static std::once_flag once; static psa_status_t init_status = PSA_ERROR_GENERIC_ERROR; - std::call_once(once, []() { - init_status = psa_crypto_init(); - }); + std::call_once(once, []() { init_status = psa_crypto_init(); }); return init_status == PSA_SUCCESS; } -} // namespace detail +inline std::span to_bytes(std::string_view s) noexcept { + const std::span chars{s.data(), s.size()}; + return std::as_bytes(chars); +} + +} // namespace detail -template +template class DigestImpl { public: static std::string digest(const std::string& input) { - return digestHelper(input, [](std::string_view digest) { - return std::string(digest); - }); + return digestHelper(input, [](std::string_view d) { return std::string{d}; }); } static void digestReplace(std::string& value) { - digestHelper(value, [&value](std::string_view digest) mutable { - value.assign(digest.data(), digest.size()); - }); + value = digest(value); } - static std::string hexdigest(const std::string &input) { - return digestHelper(input, [](std::string_view digest) { - return utils::string::string_to_hex(digest); + static std::string hexdigest(const std::string& input) { + return digestHelper(input, [](std::string_view d) { + return utils::string::string_to_hex(d); }); } private: - template - static auto digestHelper(const std::string &input, ConvertOp convertOp) + template + static auto digestHelper(const std::string& input, ConvertOp convertOp) -> decltype(convertOp(std::string_view{})) { - unsigned char digest[DigestSize]; - - const int ret = (*digestOp)( - reinterpret_cast(input.data()), - input.size(), - digest - ); + std::array digest_bytes{}; - // NEW: not assert-only; otherwise potential UB in release builds. - if (ret != 0) { - return convertOp(std::string_view{}); // empty digest signals error + if (DigestFn(detail::to_bytes(input), + std::span{digest_bytes}) != 0) { + // Empty digest signals an error. + return convertOp(std::string_view{}); } - return convertOp(std::string_view( - reinterpret_cast(digest), DigestSize - )); + // Convert byte array to a binary std::string without pointer punning. + std::string raw(DigestSize, '\0'); + std::memcpy(raw.data(), digest_bytes.data(), DigestSize); + + return convertOp(std::string_view{raw}); } }; - -// PSA wrapper with legacy signature -inline int modsec_psa_sha1(const unsigned char *input, - size_t ilen, - unsigned char output[20]) -{ +// PSA wrapper for SHA-1 (legacy-friendly error convention: 0 = success, non-zero = error). +inline int modsec_psa_sha1(std::span input, + std::span output) { if (!detail::ensure_psa_init()) { return -1; } + // psa_hash_compute uses uint8_t; copy to avoid unsafe casts. + std::vector input_u8(input.size()); + std::memcpy(input_u8.data(), input.data(), input.size()); + + std::array output_u8{}; size_t out_len = 0; - psa_status_t status = psa_hash_compute( + + const auto status = psa_hash_compute( PSA_ALG_SHA_1, - input, - ilen, - output, - 20, + input_u8.data(), + input_u8.size(), + output_u8.data(), + output_u8.size(), &out_len ); - return (status == PSA_SUCCESS && out_len == 20) ? 0 : -1; + if (status != PSA_SUCCESS || out_len != output_u8.size()) { + return -1; + } + + std::memcpy(output.data(), output_u8.data(), output_u8.size()); + return 0; } class Sha1 : public DigestImpl<&modsec_psa_sha1, 20> {}; From c4ba2dfcae5d3179eddf0d8a52558c80a7d1798a Mon Sep 17 00:00:00 2001 From: jens Date: Tue, 27 Jan 2026 12:32:25 +0100 Subject: [PATCH 10/15] Fix build script permissions --- build.sh | 0 1 file changed, 0 insertions(+), 0 deletions(-) mode change 100644 => 100755 build.sh diff --git a/build.sh b/build.sh old mode 100644 new mode 100755 From 795cf67cb84fcbb46e5648967c75c4d1607a2b8b Mon Sep 17 00:00:00 2001 From: Easton97-Jens <66330090+Easton97-Jens@users.noreply.github.com> Date: Tue, 27 Jan 2026 19:05:57 +0100 Subject: [PATCH 11/15] Delete src/parser/test.cc --- src/parser/test.cc | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 src/parser/test.cc diff --git a/src/parser/test.cc b/src/parser/test.cc deleted file mode 100644 index e69de29bb..000000000 From d127722331c06e26505a919c85e8b8c7147f9e3c Mon Sep 17 00:00:00 2001 From: jens Date: Tue, 27 Jan 2026 20:44:19 +0100 Subject: [PATCH 12/15] Restore original ModSecurity license header --- src/utils/md5.h | 12 ++++++++++-- src/utils/sha1.h | 12 ++++++++++-- src/utils/sha256.h | 16 ++++++++++++++++ 3 files changed, 36 insertions(+), 4 deletions(-) diff --git a/src/utils/md5.h b/src/utils/md5.h index c9298ffea..834039cc3 100644 --- a/src/utils/md5.h +++ b/src/utils/md5.h @@ -1,8 +1,16 @@ /* * ModSecurity, http://www.modsecurity.org/ - * Copyright (c) 2015 - 2021 Trustwave Holdings, Inc. + * Copyright (c) 2015 - 2021 Trustwave Holdings, Inc. (http://www.trustwave.com/) + * + * You may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * If any of the files related to licensing are missing or if you have any + * other questions related to licensing please contact Trustwave Holdings, Inc. + * directly using the email address security@modsecurity.org. * - * Licensed under the Apache License, Version 2.0 */ #ifndef SRC_UTILS_MD5_H_ diff --git a/src/utils/sha1.h b/src/utils/sha1.h index cc70fbc75..2df3d3822 100644 --- a/src/utils/sha1.h +++ b/src/utils/sha1.h @@ -1,8 +1,16 @@ /* * ModSecurity, http://www.modsecurity.org/ - * Copyright (c) 2015 - 2021 Trustwave Holdings, Inc. + * Copyright (c) 2015 - 2021 Trustwave Holdings, Inc. (http://www.trustwave.com/) + * + * You may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * If any of the files related to licensing are missing or if you have any + * other questions related to licensing please contact Trustwave Holdings, Inc. + * directly using the email address security@modsecurity.org. * - * Licensed under the Apache License, Version 2.0 */ #ifndef SRC_UTILS_SHA1_H_ diff --git a/src/utils/sha256.h b/src/utils/sha256.h index abf85b705..401c8aa34 100644 --- a/src/utils/sha256.h +++ b/src/utils/sha256.h @@ -1,3 +1,19 @@ +/* + * ModSecurity, http://www.modsecurity.org/ + * Copyright (c) 2015 - 2021 Trustwave Holdings, Inc. (http://www.trustwave.com/) + * + * You may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * If any of the files related to licensing are missing or if you have any + * other questions related to licensing please contact Trustwave Holdings, Inc. + * directly using the email address security@modsecurity.org. + * + */ + + #ifndef SRC_UTILS_SHA256_H_ #define SRC_UTILS_SHA256_H_ From d67bf140bc100ca7e6f3d25a46958c050b645a62 Mon Sep 17 00:00:00 2001 From: jens Date: Tue, 27 Jan 2026 21:23:12 +0100 Subject: [PATCH 13/15] Fix SHA1/MD5 digest helpers to be C++17-compatible --- src/utils/sha1.h | 79 ++++++++++++++++++++---------------------------- 1 file changed, 33 insertions(+), 46 deletions(-) diff --git a/src/utils/sha1.h b/src/utils/sha1.h index 2df3d3822..3c9ee6955 100644 --- a/src/utils/sha1.h +++ b/src/utils/sha1.h @@ -17,29 +17,20 @@ #define SRC_UTILS_SHA1_H_ #include -#include // std::byte -#include // std::memcpy -#include // std::once_flag, std::call_once -#include +#include +#include +#include #include #include -#include #include "src/utils/string.h" - -// PSA instead of mbedtls/sha1.h #include namespace modsecurity::Utils { -// Digest operation: takes input bytes and writes DigestSize bytes to output. -template -using DigestOp = int (*)(std::span input, - std::span output); - -// Shared, thread-safe PSA initialization for all digests. namespace detail { +// Thread-safe PSA initialization shared by all digests inline bool ensure_psa_init() { static std::once_flag once; static psa_status_t init_status = PSA_ERROR_GENERIC_ERROR; @@ -49,18 +40,22 @@ inline bool ensure_psa_init() { return init_status == PSA_SUCCESS; } -inline std::span to_bytes(std::string_view s) noexcept { - const std::span chars{s.data(), s.size()}; - return std::as_bytes(chars); -} - } // namespace detail +// C-friendly digest function signature (matches legacy wrappers like modsec_psa_md5) +template +using DigestOp = int (*)(const unsigned char* input, + std::size_t input_len, + unsigned char* output); + +// Generic digest implementation template class DigestImpl { public: static std::string digest(const std::string& input) { - return digestHelper(input, [](std::string_view d) { return std::string{d}; }); + return digestHelper(input, [](std::string_view d) { + return std::string{d}; + }); } static void digestReplace(std::string& value) { @@ -78,51 +73,42 @@ class DigestImpl { static auto digestHelper(const std::string& input, ConvertOp convertOp) -> decltype(convertOp(std::string_view{})) { - std::array digest_bytes{}; + std::array out{}; + const std::string_view sv{input}; - if (DigestFn(detail::to_bytes(input), - std::span{digest_bytes}) != 0) { - // Empty digest signals an error. + const auto* in_ptr = + reinterpret_cast(sv.data()); + const std::size_t in_len = sv.size(); + + if (DigestFn(in_ptr, in_len, out.data()) != 0) { return convertOp(std::string_view{}); } - // Convert byte array to a binary std::string without pointer punning. std::string raw(DigestSize, '\0'); - std::memcpy(raw.data(), digest_bytes.data(), DigestSize); - + std::memcpy(raw.data(), out.data(), DigestSize); return convertOp(std::string_view{raw}); } }; -// PSA wrapper for SHA-1 (legacy-friendly error convention: 0 = success, non-zero = error). -inline int modsec_psa_sha1(std::span input, - std::span output) { +// PSA wrapper for SHA-1 (0 = success, non-zero = error) +inline int modsec_psa_sha1(const unsigned char* input, + std::size_t ilen, + unsigned char* output) { if (!detail::ensure_psa_init()) { return -1; } - // psa_hash_compute uses uint8_t; copy to avoid unsafe casts. - std::vector input_u8(input.size()); - std::memcpy(input_u8.data(), input.data(), input.size()); - - std::array output_u8{}; size_t out_len = 0; - - const auto status = psa_hash_compute( + psa_status_t status = psa_hash_compute( PSA_ALG_SHA_1, - input_u8.data(), - input_u8.size(), - output_u8.data(), - output_u8.size(), + input, + ilen, + output, + 20, &out_len ); - if (status != PSA_SUCCESS || out_len != output_u8.size()) { - return -1; - } - - std::memcpy(output.data(), output_u8.data(), output_u8.size()); - return 0; + return (status == PSA_SUCCESS && out_len == 20) ? 0 : -1; } class Sha1 : public DigestImpl<&modsec_psa_sha1, 20> {}; @@ -130,3 +116,4 @@ class Sha1 : public DigestImpl<&modsec_psa_sha1, 20> {}; } // namespace modsecurity::Utils #endif // SRC_UTILS_SHA1_H_ + From 9328b6c55f409956103d68d34e16df9c53db2bdd Mon Sep 17 00:00:00 2001 From: jens Date: Fri, 27 Mar 2026 16:19:19 +0100 Subject: [PATCH 14/15] improve-mbedtls-v4-integration-for-macos-and-windows --- .github/workflows/ci_new.yml | 6 +- Makefile.am | 9 ++- build.sh | 28 +------ build/gen-mbedtls-sources.py | 33 +++++++++ build/win32/CMakeLists.txt | 137 ++++++++++++++++++++++++++++++++++- configure.ac | 109 +++++++++++++++++++++++++++- others/Makefile.am | 107 +++++++++------------------ others/mbedtls_sources.mk | 77 ++++++++++++++++++++ 8 files changed, 399 insertions(+), 107 deletions(-) create mode 100644 build/gen-mbedtls-sources.py create mode 100644 others/mbedtls_sources.mk diff --git a/.github/workflows/ci_new.yml b/.github/workflows/ci_new.yml index 27020ae6a..38e1cf493 100644 --- a/.github/workflows/ci_new.yml +++ b/.github/workflows/ci_new.yml @@ -206,7 +206,7 @@ jobs: - name: Install cppcheck run: | - brew install autoconf automake libtool cppcheck libmaxminddb yajl lua lmdb ssdeep + brew install autoconf automake libtool cppcheck libmaxminddb yajl lua lmdb ssdeep python3 - name: Configure project run: | @@ -256,7 +256,9 @@ jobs: libfuzzy-dev \ pcre2-utils \ bison \ - flex + flex \ + python3 \ + python3-venv - name: Run build preparation script run: ./build.sh diff --git a/Makefile.am b/Makefile.am index 7ac184b50..9ff567062 100644 --- a/Makefile.am +++ b/Makefile.am @@ -54,6 +54,12 @@ parser: cat src/parser/seclang-parser.hh | sed "s/return \*new (yyas_ ()) T (t)/return *new (yyas_ ()) T (std::move((T\&)t))/g" > src/parser/seclang-parser.hh.fix && mv src/parser/seclang-parser.hh.fix src/parser/seclang-parser.hh +CPPCHECK_EXCLUDES = \ + src/parser/seclang-parser.cc \ + src/parser/seclang-scanner.cc \ + others \ + .build-venv + cppcheck: @cppcheck -U YYSTYPE -U MBEDTLS_MD5_ALT -U MBEDTLS_SHA1_ALT \ @@ -65,8 +71,7 @@ cppcheck: --template="warning: {file},{line},{severity},{id},{message}" \ -I headers -I . -I $(top_srcdir)/others -I $(top_srcdir)/src -I $(top_srcdir)/others/mbedtls/include \ --error-exitcode=1 \ - -i "src/parser/seclang-parser.cc" -i "src/parser/seclang-scanner.cc" \ - -i others \ + $(foreach path,$(CPPCHECK_EXCLUDES),-i "$(path)") \ --std=c++17 \ --force --verbose . diff --git a/build.sh b/build.sh index 59fbda2a7..25667e53c 100755 --- a/build.sh +++ b/build.sh @@ -21,31 +21,9 @@ ls -1 \ engine/*.h \ *.h | tr "\012" " " >> headers.mk cd ../ -############################################################################## -# NEW: Automatically generate psa_crypto_driver_wrappers.h, path will be searched -############################################################################## -echo "[+] Searching for psa_crypto_driver_wrappers.h …" -if ! find . -maxdepth 10 -type f -name 'psa_crypto_driver_wrappers.h' | grep -q \ -.; then - echo "[+] File not found, searching for generate_driver_wrappers.py …" - GEN_SCRIPT=$(find . -maxdepth 10 -type f -name 'generate_driver_wrappers.py' | head -n 1) - if [ -n "$GEN_SCRIPT" ]; then - GEN_DIR=$(dirname "$GEN_SCRIPT") - echo "[+] Generator script found in: $GEN_DIR" - ( - cd "$GEN_DIR" || exit 1 - # optional: silently install Python dependencies - python3 -m pip install --user jinja2 jsonschema >/dev/null 2>&1 || true - echo "[+] Running: python3 $(basename "$GEN_SCRIPT")" - python3 "$(basename "$GEN_SCRIPT")" - ) - else - echo "[!] No generate_driver_wrappers.py found – skipping this step." - fi -else - echo "[+] psa_crypto_driver_wrappers.h already exists, nothing to do." -fi -############################################################################## + +./build/gen-mbedtls-sources.py + case `uname` in Darwin*) glibtoolize --force --copy ;; *) libtoolize --force --copy ;; esac autoreconf --install diff --git a/build/gen-mbedtls-sources.py b/build/gen-mbedtls-sources.py new file mode 100644 index 000000000..da435092b --- /dev/null +++ b/build/gen-mbedtls-sources.py @@ -0,0 +1,33 @@ +#!/usr/bin/env python3 +from pathlib import Path + +root = Path(__file__).resolve().parents[1] +core_dir = root / "others/mbedtls/tf-psa-crypto/core" +builtin_dir = root / "others/mbedtls/tf-psa-crypto/drivers/builtin/src" +out = root / "others/mbedtls_sources.mk" + +header = "# Auto-generated by build/gen-mbedtls-sources.py. Do not edit manually.\n" + +if not core_dir.is_dir() or not builtin_dir.is_dir(): + raise SystemExit( + "mbedTLS submodule is not initialized. Run: git submodule update --init --recursive others/mbedtls" + ) + +core = [ + p.relative_to(root / "others").as_posix() + for p in sorted(core_dir.glob("*.c")) + if p.name != "psa_crypto_driver_wrappers_no_static.c" +] +builtin = [p.relative_to(root / "others").as_posix() for p in sorted(builtin_dir.glob("*.c"))] + + +def emit(name: str, items: list[str]) -> str: + if not items: + return f"{name} =\n" + lines = [f"{name} = \\\n"] + for i, item in enumerate(items): + suffix = " \\\n" if i < len(items) - 1 else "\n" + lines.append(f" {item}{suffix}") + return "".join(lines) + +out.write_text(header + emit("MBED_PSA_CORE_SOURCES", core) + "\n" + emit("MBED_BUILTIN_SOURCES", builtin), encoding="utf-8") diff --git a/build/win32/CMakeLists.txt b/build/win32/CMakeLists.txt index fbf39f08d..f07fbf034 100644 --- a/build/win32/CMakeLists.txt +++ b/build/win32/CMakeLists.txt @@ -52,9 +52,118 @@ project(mbedcrypto C) set(MBEDTLS_DIR ${BASE_DIR}/others/mbedtls) -add_library(mbedcrypto STATIC ${MBEDTLS_DIR}/library/base64.c ${MBEDTLS_DIR}/library/sha1.c ${MBEDTLS_DIR}/library/md5.c ${MBEDTLS_DIR}/library/platform_util.c ${MBEDTLS_DIR}/library/constant_time.c) +set(TF_PSA_CRYPTO_CORE_DIR ${MBEDTLS_DIR}/tf-psa-crypto/core) +set(TF_PSA_CRYPTO_BUILTIN_DIR ${MBEDTLS_DIR}/tf-psa-crypto/drivers/builtin/src) +set(TF_PSA_CRYPTO_INCLUDE_DIR ${MBEDTLS_DIR}/tf-psa-crypto/include) +set(TF_PSA_CRYPTO_BUILTIN_INCLUDE_DIR ${MBEDTLS_DIR}/tf-psa-crypto/drivers/builtin/include) +set(MBEDTLS_PSA_WRAPPERS_C ${CMAKE_CURRENT_BINARY_DIR}/mbedtls_generated/psa_crypto_driver_wrappers_no_static.c) +set(MBEDTLS_PSA_WRAPPERS_H ${CMAKE_CURRENT_BINARY_DIR}/mbedtls_generated/psa_crypto_driver_wrappers.h) +set(MBEDTLS_TF_PSA_CONFIG_HEADERS + ${CMAKE_CURRENT_BINARY_DIR}/mbedtls_generated/tf_psa_crypto_config_check_before.h + ${CMAKE_CURRENT_BINARY_DIR}/mbedtls_generated/tf_psa_crypto_config_check_final.h + ${CMAKE_CURRENT_BINARY_DIR}/mbedtls_generated/tf_psa_crypto_config_check_user.h +) + +find_package(Python3 COMPONENTS Interpreter REQUIRED) + +execute_process( + COMMAND ${Python3_EXECUTABLE} -c "import venv" + RESULT_VARIABLE MBEDTLS_PYTHON_VENV_RESULT + OUTPUT_QUIET + ERROR_QUIET +) + +if(NOT MBEDTLS_PYTHON_VENV_RESULT EQUAL 0) + message(FATAL_ERROR + "python3 module 'venv' is required for mbedTLS v4 wrapper generation environment setup. " + "Please install python3-venv (or equivalent) for ${Python3_EXECUTABLE}.") +endif() + +set(MBEDTLS_PYTHON_VENV_DIR ${CMAKE_CURRENT_BINARY_DIR}/.build-venv) +if(WIN32) + set(MBEDTLS_PYTHON ${MBEDTLS_PYTHON_VENV_DIR}/Scripts/python.exe) +else() + set(MBEDTLS_PYTHON ${MBEDTLS_PYTHON_VENV_DIR}/bin/python) +endif() + +if(NOT EXISTS ${MBEDTLS_PYTHON}) + execute_process( + COMMAND ${Python3_EXECUTABLE} -m venv ${MBEDTLS_PYTHON_VENV_DIR} + RESULT_VARIABLE MBEDTLS_VENV_CREATE_RESULT + ) + if(NOT MBEDTLS_VENV_CREATE_RESULT EQUAL 0) + message(FATAL_ERROR "Failed to create Python virtual environment: ${MBEDTLS_PYTHON_VENV_DIR}") + endif() +endif() -target_include_directories(mbedcrypto PRIVATE ${MBEDTLS_DIR}/include) +execute_process( + COMMAND ${MBEDTLS_PYTHON} -m pip --version + RESULT_VARIABLE MBEDTLS_PIP_CHECK_RESULT + OUTPUT_QUIET + ERROR_QUIET +) +if(NOT MBEDTLS_PIP_CHECK_RESULT EQUAL 0) + execute_process( + COMMAND ${MBEDTLS_PYTHON} -m ensurepip --upgrade + RESULT_VARIABLE MBEDTLS_ENSUREPIP_RESULT + ) + if(NOT MBEDTLS_ENSUREPIP_RESULT EQUAL 0) + message(FATAL_ERROR "Failed to bootstrap pip in ${MBEDTLS_PYTHON_VENV_DIR}") + endif() +endif() + +execute_process( + COMMAND ${MBEDTLS_PYTHON} -c "import jinja2, jsonschema" + RESULT_VARIABLE MBEDTLS_PYTHON_MODULES_RESULT + OUTPUT_QUIET + ERROR_QUIET +) +if(NOT MBEDTLS_PYTHON_MODULES_RESULT EQUAL 0) + execute_process( + COMMAND ${MBEDTLS_PYTHON} -m pip install --disable-pip-version-check jinja2 jsonschema + RESULT_VARIABLE MBEDTLS_PIP_INSTALL_RESULT + ) + if(NOT MBEDTLS_PIP_INSTALL_RESULT EQUAL 0) + message(FATAL_ERROR + "Failed to install Python modules 'jinja2' and 'jsonschema' into ${MBEDTLS_PYTHON_VENV_DIR}. " + "Please verify network/package access and re-run CMake.") + endif() +endif() + +add_custom_command( + OUTPUT ${MBEDTLS_PSA_WRAPPERS_C} ${MBEDTLS_PSA_WRAPPERS_H} ${MBEDTLS_TF_PSA_CONFIG_HEADERS} + COMMAND ${CMAKE_COMMAND} -E make_directory ${CMAKE_CURRENT_BINARY_DIR}/mbedtls_generated + COMMAND ${MBEDTLS_PYTHON} ${MBEDTLS_DIR}/tf-psa-crypto/scripts/generate_driver_wrappers.py ${CMAKE_CURRENT_BINARY_DIR}/mbedtls_generated + COMMAND ${CMAKE_COMMAND} -E chdir ${MBEDTLS_DIR}/tf-psa-crypto ${MBEDTLS_PYTHON} scripts/generate_config_checks.py ${CMAKE_CURRENT_BINARY_DIR}/mbedtls_generated + DEPENDS + ${MBEDTLS_DIR}/tf-psa-crypto/scripts/generate_driver_wrappers.py + ${MBEDTLS_DIR}/tf-psa-crypto/scripts/generate_config_checks.py + ${MBEDTLS_DIR}/tf-psa-crypto/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.h.jinja + ${MBEDTLS_DIR}/tf-psa-crypto/scripts/data_files/driver_templates/psa_crypto_driver_wrappers_no_static.c.jinja +) + +file(GLOB MBEDTLS_PSA_CORE_SOURCES CONFIGURE_DEPENDS ${TF_PSA_CRYPTO_CORE_DIR}/*.c) +list(FILTER MBEDTLS_PSA_CORE_SOURCES EXCLUDE REGEX "psa_crypto_driver_wrappers_no_static\\.c$") +file(GLOB MBEDTLS_BUILTIN_SOURCES CONFIGURE_DEPENDS ${TF_PSA_CRYPTO_BUILTIN_DIR}/*.c) + +add_library(mbedcrypto STATIC + ${MBEDTLS_PSA_CORE_SOURCES} + ${MBEDTLS_BUILTIN_SOURCES} + ${MBEDTLS_PSA_WRAPPERS_C} + ${MBEDTLS_PSA_WRAPPERS_H} + ${MBEDTLS_TF_PSA_CONFIG_HEADERS} +) + +target_include_directories(mbedcrypto PRIVATE + ${MBEDTLS_DIR}/include + ${TF_PSA_CRYPTO_INCLUDE_DIR} + ${TF_PSA_CRYPTO_CORE_DIR} + ${CMAKE_CURRENT_BINARY_DIR}/mbedtls_generated + ${TF_PSA_CRYPTO_BUILTIN_INCLUDE_DIR} + ${TF_PSA_CRYPTO_BUILTIN_DIR} +) + +target_link_libraries(mbedcrypto PRIVATE bcrypt) # get mbedtls version with git describe execute_process( @@ -137,7 +246,17 @@ file(GLOB_RECURSE libModSecuritySources ${BASE_DIR}/src/*.cc) add_library(libModSecurity SHARED ${libModSecuritySources}) target_compile_definitions(libModSecurity PRIVATE WITH_PCRE2) -target_include_directories(libModSecurity PRIVATE ${BASE_DIR} ${BASE_DIR}/headers ${BASE_DIR}/others ${MBEDTLS_DIR}/include) +target_include_directories(libModSecurity PRIVATE + ${BASE_DIR} + ${BASE_DIR}/headers + ${BASE_DIR}/others + ${MBEDTLS_DIR}/include + ${TF_PSA_CRYPTO_INCLUDE_DIR} + ${TF_PSA_CRYPTO_CORE_DIR} + ${CMAKE_CURRENT_BINARY_DIR}/mbedtls_generated + ${TF_PSA_CRYPTO_BUILTIN_INCLUDE_DIR} + ${TF_PSA_CRYPTO_BUILTIN_DIR} +) target_link_libraries(libModSecurity PRIVATE pcre2::pcre2 libinjection mbedcrypto Poco::Poco Iphlpapi.lib) macro(add_package_dependency project compile_definition link_library flag) @@ -164,7 +283,17 @@ project(libModSecurityTests) function(setTestTargetProperties executable) target_compile_definitions(${executable} PRIVATE WITH_PCRE2) - target_include_directories(${executable} PRIVATE ${BASE_DIR} ${BASE_DIR}/headers) + target_include_directories(${executable} PRIVATE + ${BASE_DIR} + ${BASE_DIR}/headers + ${BASE_DIR}/others + ${MBEDTLS_DIR}/include + ${TF_PSA_CRYPTO_INCLUDE_DIR} + ${TF_PSA_CRYPTO_CORE_DIR} + ${CMAKE_CURRENT_BINARY_DIR}/mbedtls_generated + ${TF_PSA_CRYPTO_BUILTIN_INCLUDE_DIR} + ${TF_PSA_CRYPTO_BUILTIN_DIR} + ) target_link_libraries(${executable} PRIVATE libModSecurity pcre2::pcre2 dirent::dirent) add_package_dependency(${executable} WITH_YAJL yajl::yajl HAVE_YAJL) endfunction() diff --git a/configure.ac b/configure.ac index d3289f597..59020f866 100644 --- a/configure.ac +++ b/configure.ac @@ -57,7 +57,7 @@ AC_PROG_LN_S AC_PROG_MAKE_SET AC_PROG_MKDIR_P PKG_PROG_PKG_CONFIG - +AC_PATH_PROG([PYTHON3], [python3], [:]) # Set C++ standard version and check if compiler supports it. AX_CXX_COMPILE_STDCXX(17, noext, mandatory) @@ -100,6 +100,94 @@ AC_MSG_ERROR([\ ]) fi + + +if test "x$PYTHON3" = "x:"; then +AC_MSG_ERROR([\ + + python3 was not found. + + Mbed TLS v4 integration requires python3 + venv to generate PSA wrapper and + config-check sources in an isolated environment. + + Please install python3 (including the venv module) and re-run build.sh/configure. + + ]) +fi + +if ! "$PYTHON3" -c "import venv" >/dev/null 2>&1; then +AC_MSG_ERROR([\ + + python3 module 'venv' is not available. + + ModSecurity's mbedTLS v4 build creates an isolated Python environment + automatically and requires python3-venv support. + + Please install python3-venv (or your platform equivalent) and re-run configure. + + ]) +fi + +MBEDTLS_PYTHON_VENV_PROBE_DIR=`mktemp -d "${TMPDIR-/tmp}/modsecurity-python-venv.XXXXXX" 2>/dev/null` +if test "x$MBEDTLS_PYTHON_VENV_PROBE_DIR" = "x" || test ! -d "$MBEDTLS_PYTHON_VENV_PROBE_DIR"; then +AC_MSG_ERROR([\ + + Failed to create a temporary directory to validate python3 venv support. + + Please ensure mktemp works and the temporary directory is writable, then re-run configure. + + ]) +fi + +if ! "$PYTHON3" -m venv "$MBEDTLS_PYTHON_VENV_PROBE_DIR" >/dev/null 2>&1; then + rm -rf "$MBEDTLS_PYTHON_VENV_PROBE_DIR" +AC_MSG_ERROR([\ + + python3 was found, but creating a virtual environment failed. + + ModSecurity's mbedTLS v4 build requires a working python3 venv implementation. + On Debian/Ubuntu this usually means the package 'python3-venv' is missing. + + Please install python3-venv (for example: apt install python3-venv) and re-run configure. + + ]) +fi + +rm -rf "$MBEDTLS_PYTHON_VENV_PROBE_DIR" + +MBEDTLS_PYTHON_VENV_DIR="`pwd`/.build-venv" +MBEDTLS_PYTHON="$MBEDTLS_PYTHON_VENV_DIR/bin/python" + +if test ! -x "$MBEDTLS_PYTHON"; then + AC_MSG_NOTICE([Creating Python virtual environment for mbedTLS v4 in $MBEDTLS_PYTHON_VENV_DIR]) + if ! "$PYTHON3" -m venv "$MBEDTLS_PYTHON_VENV_DIR" >/dev/null 2>&1; then + AC_MSG_ERROR([Failed to create Python virtual environment in $MBEDTLS_PYTHON_VENV_DIR. +Please verify that python3-venv is installed and that the build directory is writable.]) + fi +fi + +if ! "$MBEDTLS_PYTHON" -m pip --version >/dev/null 2>&1; then + if ! "$MBEDTLS_PYTHON" -m ensurepip --upgrade >/dev/null 2>&1; then + AC_MSG_ERROR([Failed to bootstrap pip inside $MBEDTLS_PYTHON_VENV_DIR.]) + fi +fi + +if ! "$MBEDTLS_PYTHON" -c "import jinja2, jsonschema" >/dev/null 2>&1; then + AC_MSG_NOTICE([Installing Python build dependencies (jinja2, jsonschema) into $MBEDTLS_PYTHON_VENV_DIR]) + if ! "$MBEDTLS_PYTHON" -m pip install --disable-pip-version-check jinja2 jsonschema >/dev/null 2>&1; then +AC_MSG_ERROR([\ + + Failed to install Python modules 'jinja2' and 'jsonschema' into: + $MBEDTLS_PYTHON_VENV_DIR + + Please verify network/package access and re-run configure. + + ]) + fi +fi + +AC_SUBST([MBEDTLS_PYTHON]) + # Mbed TLS version AC_DEFUN([MBEDTLS_VERSION], m4_esyscmd_s(cd "others/mbedtls" && git describe && cd ../..)) @@ -296,6 +384,25 @@ if test $buildParser = true; then AC_PATH_PROG([BISON], [bison]) test "x$BISON" = "x" && AC_MSG_ERROR([bison is needed to build ModSecurity]) + + BISON_VERSION=`$BISON --version 2>/dev/null | head -n 1 | sed 's/.* //g'` + AC_SUBST([BISON_VERSION]) + if ! awk 'BEGIN { + split(ARGV[1], current, "."); + split(ARGV[2], required, "."); + for (i = 1; i <= 3; ++i) { + c = (current[i] == "") ? 0 : current[i]; + r = (required[i] == "") ? 0 : required[i]; + if ((c + 0) > (r + 0)) exit 0; + if ((c + 0) < (r + 0)) exit 1; + } + exit 0; + }' "$BISON_VERSION" "3.0.2"; then + AC_MSG_ERROR([bison >= 3.0.2 is required for --enable-parser-generation. +Install a newer bison or disable parser generation to use the checked-in parser sources.]) + fi + + AC_PATH_PROG([YACC_INST], $YACC) if test ! -f "$srcdir/gram.c"; then if test -z "$YACC_INST"; then diff --git a/others/Makefile.am b/others/Makefile.am index 91f6e389c..45be584a6 100644 --- a/others/Makefile.am +++ b/others/Makefile.am @@ -22,79 +22,40 @@ noinst_HEADERS = \ mbedtls/tf-psa-crypto/include/mbedtls/platform.h \ mbedtls/tf-psa-crypto/drivers/builtin/include/mbedtls/private/sha1.h -MBED_PSA_CORE_SOURCES = \ - mbedtls/tf-psa-crypto/core/psa_crypto.c \ - mbedtls/tf-psa-crypto/core/psa_crypto_client.c \ - mbedtls/tf-psa-crypto/core/psa_crypto_slot_management.c \ - mbedtls/tf-psa-crypto/core/psa_crypto_storage.c \ - mbedtls/tf-psa-crypto/core/psa_its_file.c \ - mbedtls/tf-psa-crypto/core/psa_crypto_driver_wrappers_no_static.c +include $(top_srcdir)/others/mbedtls_sources.mk -MBED_BUILTIN_SOURCES = \ - mbedtls/tf-psa-crypto/drivers/builtin/src/aes.c \ - mbedtls/tf-psa-crypto/drivers/builtin/src/aesce.c \ - mbedtls/tf-psa-crypto/drivers/builtin/src/aesni.c \ - mbedtls/tf-psa-crypto/drivers/builtin/src/aria.c \ - mbedtls/tf-psa-crypto/drivers/builtin/src/asn1parse.c \ - mbedtls/tf-psa-crypto/drivers/builtin/src/asn1write.c \ - mbedtls/tf-psa-crypto/drivers/builtin/src/base64.c \ - mbedtls/tf-psa-crypto/drivers/builtin/src/bignum.c \ - mbedtls/tf-psa-crypto/drivers/builtin/src/bignum_core.c \ - mbedtls/tf-psa-crypto/drivers/builtin/src/bignum_mod.c \ - mbedtls/tf-psa-crypto/drivers/builtin/src/bignum_mod_raw.c \ - mbedtls/tf-psa-crypto/drivers/builtin/src/block_cipher.c \ - mbedtls/tf-psa-crypto/drivers/builtin/src/camellia.c \ - mbedtls/tf-psa-crypto/drivers/builtin/src/ccm.c \ - mbedtls/tf-psa-crypto/drivers/builtin/src/chacha20.c \ - mbedtls/tf-psa-crypto/drivers/builtin/src/chachapoly.c \ - mbedtls/tf-psa-crypto/drivers/builtin/src/cipher.c \ - mbedtls/tf-psa-crypto/drivers/builtin/src/cipher_wrap.c \ - mbedtls/tf-psa-crypto/drivers/builtin/src/cmac.c \ - mbedtls/tf-psa-crypto/drivers/builtin/src/constant_time.c \ - mbedtls/tf-psa-crypto/drivers/builtin/src/ctr_drbg.c \ - mbedtls/tf-psa-crypto/drivers/builtin/src/ecdh.c \ - mbedtls/tf-psa-crypto/drivers/builtin/src/ecdsa.c \ - mbedtls/tf-psa-crypto/drivers/builtin/src/ecjpake.c \ - mbedtls/tf-psa-crypto/drivers/builtin/src/ecp.c \ - mbedtls/tf-psa-crypto/drivers/builtin/src/ecp_curves.c \ - mbedtls/tf-psa-crypto/drivers/builtin/src/ecp_curves_new.c \ - mbedtls/tf-psa-crypto/drivers/builtin/src/entropy.c \ - mbedtls/tf-psa-crypto/drivers/builtin/src/entropy_poll.c \ - mbedtls/tf-psa-crypto/drivers/builtin/src/gcm.c \ - mbedtls/tf-psa-crypto/drivers/builtin/src/hmac_drbg.c \ - mbedtls/tf-psa-crypto/drivers/builtin/src/md.c \ - mbedtls/tf-psa-crypto/drivers/builtin/src/md5.c \ - mbedtls/tf-psa-crypto/drivers/builtin/src/memory_buffer_alloc.c \ - mbedtls/tf-psa-crypto/drivers/builtin/src/nist_kw.c \ - mbedtls/tf-psa-crypto/drivers/builtin/src/oid.c \ - mbedtls/tf-psa-crypto/drivers/builtin/src/pem.c \ - mbedtls/tf-psa-crypto/drivers/builtin/src/pk.c \ - mbedtls/tf-psa-crypto/drivers/builtin/src/pk_ecc.c \ - mbedtls/tf-psa-crypto/drivers/builtin/src/pk_rsa.c \ - mbedtls/tf-psa-crypto/drivers/builtin/src/pk_wrap.c \ - mbedtls/tf-psa-crypto/drivers/builtin/src/pkcs5.c \ - mbedtls/tf-psa-crypto/drivers/builtin/src/pkparse.c \ - mbedtls/tf-psa-crypto/drivers/builtin/src/pkwrite.c \ - mbedtls/tf-psa-crypto/drivers/builtin/src/platform.c \ - mbedtls/tf-psa-crypto/drivers/builtin/src/platform_util.c \ - mbedtls/tf-psa-crypto/drivers/builtin/src/poly1305.c \ - mbedtls/tf-psa-crypto/drivers/builtin/src/psa_crypto_aead.c \ - mbedtls/tf-psa-crypto/drivers/builtin/src/psa_crypto_cipher.c \ - mbedtls/tf-psa-crypto/drivers/builtin/src/psa_crypto_ecp.c \ - mbedtls/tf-psa-crypto/drivers/builtin/src/psa_crypto_ffdh.c \ - mbedtls/tf-psa-crypto/drivers/builtin/src/psa_crypto_hash.c \ - mbedtls/tf-psa-crypto/drivers/builtin/src/psa_crypto_mac.c \ - mbedtls/tf-psa-crypto/drivers/builtin/src/psa_crypto_pake.c \ - mbedtls/tf-psa-crypto/drivers/builtin/src/psa_crypto_rsa.c \ - mbedtls/tf-psa-crypto/drivers/builtin/src/psa_util.c \ - mbedtls/tf-psa-crypto/drivers/builtin/src/ripemd160.c \ - mbedtls/tf-psa-crypto/drivers/builtin/src/rsa.c \ - mbedtls/tf-psa-crypto/drivers/builtin/src/rsa_alt_helpers.c \ - mbedtls/tf-psa-crypto/drivers/builtin/src/sha1.c \ - mbedtls/tf-psa-crypto/drivers/builtin/src/sha256.c \ - mbedtls/tf-psa-crypto/drivers/builtin/src/sha3.c \ - mbedtls/tf-psa-crypto/drivers/builtin/src/sha512.c \ - mbedtls/tf-psa-crypto/drivers/builtin/src/threading.c +MBED_PSA_CORE_SOURCES += \ + $(MBED_GENERATED_PSA_WRAPPERS_C) + +MBEDTLS_PY = @MBEDTLS_PYTHON@ +MBED_GENERATED_CORE_DIR = $(builddir)/mbedtls-generated/core +MBED_GENERATED_PSA_WRAPPERS_H = $(MBED_GENERATED_CORE_DIR)/psa_crypto_driver_wrappers.h +MBED_GENERATED_PSA_WRAPPERS_C = $(MBED_GENERATED_CORE_DIR)/psa_crypto_driver_wrappers_no_static.c +MBED_GENERATED_TF_PSA_CONFIG_HDRS = \ + $(MBED_GENERATED_CORE_DIR)/tf_psa_crypto_config_check_before.h \ + $(MBED_GENERATED_CORE_DIR)/tf_psa_crypto_config_check_final.h \ + $(MBED_GENERATED_CORE_DIR)/tf_psa_crypto_config_check_user.h +MBED_GENERATED_STAMP = $(MBED_GENERATED_CORE_DIR)/.generated.stamp + +BUILT_SOURCES = \ + $(MBED_GENERATED_PSA_WRAPPERS_H) \ + $(MBED_GENERATED_PSA_WRAPPERS_C) \ + $(MBED_GENERATED_TF_PSA_CONFIG_HDRS) + +CLEANFILES = \ + $(MBED_GENERATED_PSA_WRAPPERS_H) \ + $(MBED_GENERATED_PSA_WRAPPERS_C) \ + $(MBED_GENERATED_TF_PSA_CONFIG_HDRS) \ + $(MBED_GENERATED_STAMP) + +$(MBED_GENERATED_PSA_WRAPPERS_H) $(MBED_GENERATED_PSA_WRAPPERS_C) $(MBED_GENERATED_TF_PSA_CONFIG_HDRS): $(MBED_GENERATED_STAMP) + +$(MBED_GENERATED_STAMP): + $(AM_V_at)mkdir -p $(MBED_GENERATED_CORE_DIR) + $(AM_V_GEN)$(MBEDTLS_PY) $(top_srcdir)/others/mbedtls/tf-psa-crypto/scripts/generate_driver_wrappers.py $(MBED_GENERATED_CORE_DIR) + $(AM_V_GEN)cd $(top_srcdir)/others/mbedtls/tf-psa-crypto && \ + $(MBEDTLS_PY) scripts/generate_config_checks.py $(abspath $(MBED_GENERATED_CORE_DIR)) + $(AM_V_at)touch $(MBED_GENERATED_STAMP) libmbedtls_la_SOURCES = \ $(MBED_PSA_CORE_SOURCES) \ @@ -105,9 +66,9 @@ libmbedtls_la_CPPFLAGS = \ -I$(top_srcdir)/others/mbedtls/include \ -I$(top_srcdir)/others/mbedtls/tf-psa-crypto/include \ -I$(top_srcdir)/others/mbedtls/tf-psa-crypto/core \ + -I$(top_builddir)/others/mbedtls-generated/core \ -I$(top_srcdir)/others/mbedtls/tf-psa-crypto/drivers/builtin/include \ -I$(top_srcdir)/others/mbedtls/tf-psa-crypto/drivers/builtin/src #libmbedtls_la_CPPFLAGS = libmbedtls_la_LIBADD = - diff --git a/others/mbedtls_sources.mk b/others/mbedtls_sources.mk new file mode 100644 index 000000000..24e3d5e32 --- /dev/null +++ b/others/mbedtls_sources.mk @@ -0,0 +1,77 @@ +# Auto-generated by build/gen-mbedtls-sources.py. Do not edit manually. +MBED_PSA_CORE_SOURCES = \ + mbedtls/tf-psa-crypto/core/psa_crypto.c \ + mbedtls/tf-psa-crypto/core/psa_crypto_client.c \ + mbedtls/tf-psa-crypto/core/psa_crypto_slot_management.c \ + mbedtls/tf-psa-crypto/core/psa_crypto_storage.c \ + mbedtls/tf-psa-crypto/core/psa_its_file.c \ + mbedtls/tf-psa-crypto/core/tf_psa_crypto_config.c \ + mbedtls/tf-psa-crypto/core/tf_psa_crypto_version.c + +MBED_BUILTIN_SOURCES = \ + mbedtls/tf-psa-crypto/drivers/builtin/src/aes.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/aesce.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/aesni.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/aria.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/asn1parse.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/asn1write.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/base64.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/bignum.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/bignum_core.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/bignum_mod.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/bignum_mod_raw.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/block_cipher.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/camellia.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/ccm.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/chacha20.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/chachapoly.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/cipher.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/cipher_wrap.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/cmac.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/constant_time.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/ctr_drbg.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/ecdh.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/ecdsa.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/ecjpake.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/ecp.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/ecp_curves.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/ecp_curves_new.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/entropy.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/entropy_poll.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/gcm.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/hmac_drbg.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/lmots.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/lms.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/md.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/md5.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/memory_buffer_alloc.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/nist_kw.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/oid.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/pem.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/pk.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/pk_ecc.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/pk_rsa.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/pk_wrap.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/pkcs5.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/pkparse.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/pkwrite.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/platform.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/platform_util.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/poly1305.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/psa_crypto_aead.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/psa_crypto_cipher.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/psa_crypto_ecp.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/psa_crypto_ffdh.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/psa_crypto_hash.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/psa_crypto_mac.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/psa_crypto_pake.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/psa_crypto_rsa.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/psa_util.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/ripemd160.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/rsa.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/rsa_alt_helpers.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/sha1.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/sha256.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/sha3.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/sha512.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/threading.c From b478e61fd1feeb340219f70202b6955e69b9840d Mon Sep 17 00:00:00 2001 From: jens Date: Fri, 27 Mar 2026 16:41:13 +0100 Subject: [PATCH 15/15] Update gen-mbedtls-sources.py (permissions/changes) --- .github/workflows/ci_new.yml | 6 ++++-- build/gen-mbedtls-sources.py | 0 2 files changed, 4 insertions(+), 2 deletions(-) mode change 100644 => 100755 build/gen-mbedtls-sources.py diff --git a/.github/workflows/ci_new.yml b/.github/workflows/ci_new.yml index 38e1cf493..32705387e 100644 --- a/.github/workflows/ci_new.yml +++ b/.github/workflows/ci_new.yml @@ -35,7 +35,7 @@ jobs: - { label: "with pcre", opt: "--with-pcre" } steps: - - uses: actions/checkout@v6 +git push --force - uses: actions/checkout@v6 with: fetch-depth: 0 submodules: recursive @@ -56,7 +56,9 @@ jobs: libpcre3-dev \ bison \ flex \ - pkg-config + pkg-config \ + python3 \ + python3-venv - name: Run build preparation script diff --git a/build/gen-mbedtls-sources.py b/build/gen-mbedtls-sources.py old mode 100644 new mode 100755