Add initial mbedTLS v4 support

.github/workflows/ci_new.yml

@@ -35,7 +35,7 @@ jobs:
           - { label: "with pcre",        opt: "--with-pcre" }
 
     steps:
-      - uses: actions/checkout@v6
+git push --force      - uses: actions/checkout@v6
         with:
           fetch-depth: 0
           submodules: recursive
@@ -56,7 +56,9 @@ jobs:
             libpcre3-dev \
             bison \
             flex \
-            pkg-config
+            pkg-config \
+            python3 \
+            python3-venv
 
 
       - name: Run build preparation script
@@ -206,7 +208,7 @@ jobs:
 
       - name: Install cppcheck
         run: |
-          brew install autoconf automake libtool cppcheck libmaxminddb yajl lua lmdb ssdeep
+          brew install autoconf automake libtool cppcheck libmaxminddb yajl lua lmdb ssdeep python3 
 
       - name: Configure project
         run: |
@@ -256,7 +258,9 @@ jobs:
             libfuzzy-dev \
             pcre2-utils \
             bison \
-            flex
+            flex \
+            python3 \
+            python3-venv
 
       - name: Run build preparation script
         run: ./build.sh

Makefile.am

@@ -54,6 +54,12 @@ parser:
 	cat src/parser/seclang-parser.hh | sed "s/return \*new (yyas_<T> ()) T (t)/return *new (yyas_<T> ()) T (std::move((T\&)t))/g"  > src/parser/seclang-parser.hh.fix && mv src/parser/seclang-parser.hh.fix src/parser/seclang-parser.hh
 
 
+CPPCHECK_EXCLUDES = \
+	src/parser/seclang-parser.cc \
+	src/parser/seclang-scanner.cc \
+	others \
+	.build-venv
+
 
 cppcheck:
 	@cppcheck -U YYSTYPE -U MBEDTLS_MD5_ALT -U MBEDTLS_SHA1_ALT \
@@ -65,8 +71,7 @@ cppcheck:
 		--template="warning: {file},{line},{severity},{id},{message}" \
 		-I headers -I . -I $(top_srcdir)/others -I $(top_srcdir)/src -I $(top_srcdir)/others/mbedtls/include \
 		--error-exitcode=1 \
-		-i "src/parser/seclang-parser.cc" -i "src/parser/seclang-scanner.cc" \
-		-i others \
+		$(foreach path,$(CPPCHECK_EXCLUDES),-i "$(path)") \
 		--std=c++17 \
 		--force --verbose .
 

build.sh

@@ -1,8 +1,6 @@
 #!/bin/sh
-
 rm -rf autom4te.cache
 rm -f aclocal.m4
-
 cd src
 rm -f headers.mk
 echo "noinst_HEADERS = \\" > headers.mk
@@ -24,12 +22,12 @@ ls -1 \
     *.h | tr "\012" " " >> headers.mk
 cd ../
 
+./build/gen-mbedtls-sources.py
+
 case `uname` in Darwin*) glibtoolize --force --copy ;;
   *) libtoolize --force --copy ;; esac
 autoreconf --install
 autoheader
 automake --add-missing --foreign --copy --force-missing
 autoconf --force
 rm -rf autom4te.cache
-
-

build/gen-mbedtls-sources.py

@@ -0,0 +1,33 @@
+#!/usr/bin/env python3
+from pathlib import Path
+
+root = Path(__file__).resolve().parents[1]
+core_dir = root / "others/mbedtls/tf-psa-crypto/core"
+builtin_dir = root / "others/mbedtls/tf-psa-crypto/drivers/builtin/src"
+out = root / "others/mbedtls_sources.mk"
+
+header = "# Auto-generated by build/gen-mbedtls-sources.py. Do not edit manually.\n"
+
+if not core_dir.is_dir() or not builtin_dir.is_dir():
+    raise SystemExit(
+        "mbedTLS submodule is not initialized. Run: git submodule update --init --recursive others/mbedtls"
+    )
+
+core = [
+    p.relative_to(root / "others").as_posix()
+    for p in sorted(core_dir.glob("*.c"))
+    if p.name != "psa_crypto_driver_wrappers_no_static.c"
+]
+builtin = [p.relative_to(root / "others").as_posix() for p in sorted(builtin_dir.glob("*.c"))]
+
+
+def emit(name: str, items: list[str]) -> str:
+    if not items:
+        return f"{name} =\n"
+    lines = [f"{name} = \\\n"]
+    for i, item in enumerate(items):
+        suffix = " \\\n" if i < len(items) - 1 else "\n"
+        lines.append(f"        {item}{suffix}")
+    return "".join(lines)
+
+out.write_text(header + emit("MBED_PSA_CORE_SOURCES", core) + "\n" + emit("MBED_BUILTIN_SOURCES", builtin), encoding="utf-8")

build/win32/CMakeLists.txt

@@ -52,9 +52,118 @@ project(mbedcrypto C)
 
 set(MBEDTLS_DIR ${BASE_DIR}/others/mbedtls)
 
-add_library(mbedcrypto STATIC ${MBEDTLS_DIR}/library/base64.c ${MBEDTLS_DIR}/library/sha1.c ${MBEDTLS_DIR}/library/md5.c ${MBEDTLS_DIR}/library/platform_util.c ${MBEDTLS_DIR}/library/constant_time.c)
+set(TF_PSA_CRYPTO_CORE_DIR ${MBEDTLS_DIR}/tf-psa-crypto/core)
+set(TF_PSA_CRYPTO_BUILTIN_DIR ${MBEDTLS_DIR}/tf-psa-crypto/drivers/builtin/src)
+set(TF_PSA_CRYPTO_INCLUDE_DIR ${MBEDTLS_DIR}/tf-psa-crypto/include)
+set(TF_PSA_CRYPTO_BUILTIN_INCLUDE_DIR ${MBEDTLS_DIR}/tf-psa-crypto/drivers/builtin/include)
+set(MBEDTLS_PSA_WRAPPERS_C ${CMAKE_CURRENT_BINARY_DIR}/mbedtls_generated/psa_crypto_driver_wrappers_no_static.c)
+set(MBEDTLS_PSA_WRAPPERS_H ${CMAKE_CURRENT_BINARY_DIR}/mbedtls_generated/psa_crypto_driver_wrappers.h)
+set(MBEDTLS_TF_PSA_CONFIG_HEADERS
+    ${CMAKE_CURRENT_BINARY_DIR}/mbedtls_generated/tf_psa_crypto_config_check_before.h
+    ${CMAKE_CURRENT_BINARY_DIR}/mbedtls_generated/tf_psa_crypto_config_check_final.h
+    ${CMAKE_CURRENT_BINARY_DIR}/mbedtls_generated/tf_psa_crypto_config_check_user.h
+)
+
+find_package(Python3 COMPONENTS Interpreter REQUIRED)
+
+execute_process(
+    COMMAND ${Python3_EXECUTABLE} -c "import venv"
+    RESULT_VARIABLE MBEDTLS_PYTHON_VENV_RESULT
+    OUTPUT_QUIET
+    ERROR_QUIET
+)
+
+if(NOT MBEDTLS_PYTHON_VENV_RESULT EQUAL 0)
+  message(FATAL_ERROR
+    "python3 module 'venv' is required for mbedTLS v4 wrapper generation environment setup. "
+    "Please install python3-venv (or equivalent) for ${Python3_EXECUTABLE}.")
+endif()
+
+set(MBEDTLS_PYTHON_VENV_DIR ${CMAKE_CURRENT_BINARY_DIR}/.build-venv)
+if(WIN32)
+    set(MBEDTLS_PYTHON ${MBEDTLS_PYTHON_VENV_DIR}/Scripts/python.exe)
+else()
+    set(MBEDTLS_PYTHON ${MBEDTLS_PYTHON_VENV_DIR}/bin/python)
+endif()
+
+if(NOT EXISTS ${MBEDTLS_PYTHON})
+    execute_process(
+        COMMAND ${Python3_EXECUTABLE} -m venv ${MBEDTLS_PYTHON_VENV_DIR}
+        RESULT_VARIABLE MBEDTLS_VENV_CREATE_RESULT
+    )
+    if(NOT MBEDTLS_VENV_CREATE_RESULT EQUAL 0)
+      message(FATAL_ERROR "Failed to create Python virtual environment: ${MBEDTLS_PYTHON_VENV_DIR}")
+    endif()
+endif()
 
-target_include_directories(mbedcrypto PRIVATE ${MBEDTLS_DIR}/include)
+execute_process(
+    COMMAND ${MBEDTLS_PYTHON} -m pip --version
+    RESULT_VARIABLE MBEDTLS_PIP_CHECK_RESULT
+    OUTPUT_QUIET
+    ERROR_QUIET
+)
+if(NOT MBEDTLS_PIP_CHECK_RESULT EQUAL 0)
+    execute_process(
+        COMMAND ${MBEDTLS_PYTHON} -m ensurepip --upgrade
+        RESULT_VARIABLE MBEDTLS_ENSUREPIP_RESULT
+    )
+    if(NOT MBEDTLS_ENSUREPIP_RESULT EQUAL 0)
+      message(FATAL_ERROR "Failed to bootstrap pip in ${MBEDTLS_PYTHON_VENV_DIR}")
+    endif()
+endif()
+
+execute_process(
+    COMMAND ${MBEDTLS_PYTHON} -c "import jinja2, jsonschema"
+    RESULT_VARIABLE MBEDTLS_PYTHON_MODULES_RESULT
+    OUTPUT_QUIET
+    ERROR_QUIET
+)
+if(NOT MBEDTLS_PYTHON_MODULES_RESULT EQUAL 0)
+    execute_process(
+        COMMAND ${MBEDTLS_PYTHON} -m pip install --disable-pip-version-check jinja2 jsonschema
+        RESULT_VARIABLE MBEDTLS_PIP_INSTALL_RESULT
+    )
+    if(NOT MBEDTLS_PIP_INSTALL_RESULT EQUAL 0)
+      message(FATAL_ERROR
+        "Failed to install Python modules 'jinja2' and 'jsonschema' into ${MBEDTLS_PYTHON_VENV_DIR}. "
+        "Please verify network/package access and re-run CMake.")
+    endif()
+endif()
+
+add_custom_command(
+    OUTPUT ${MBEDTLS_PSA_WRAPPERS_C} ${MBEDTLS_PSA_WRAPPERS_H} ${MBEDTLS_TF_PSA_CONFIG_HEADERS}
+    COMMAND ${CMAKE_COMMAND} -E make_directory ${CMAKE_CURRENT_BINARY_DIR}/mbedtls_generated
+    COMMAND ${MBEDTLS_PYTHON} ${MBEDTLS_DIR}/tf-psa-crypto/scripts/generate_driver_wrappers.py ${CMAKE_CURRENT_BINARY_DIR}/mbedtls_generated
+    COMMAND ${CMAKE_COMMAND} -E chdir ${MBEDTLS_DIR}/tf-psa-crypto ${MBEDTLS_PYTHON} scripts/generate_config_checks.py ${CMAKE_CURRENT_BINARY_DIR}/mbedtls_generated
+    DEPENDS
+        ${MBEDTLS_DIR}/tf-psa-crypto/scripts/generate_driver_wrappers.py
+        ${MBEDTLS_DIR}/tf-psa-crypto/scripts/generate_config_checks.py
+        ${MBEDTLS_DIR}/tf-psa-crypto/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.h.jinja
+        ${MBEDTLS_DIR}/tf-psa-crypto/scripts/data_files/driver_templates/psa_crypto_driver_wrappers_no_static.c.jinja
+)
+
+file(GLOB MBEDTLS_PSA_CORE_SOURCES CONFIGURE_DEPENDS ${TF_PSA_CRYPTO_CORE_DIR}/*.c)
+list(FILTER MBEDTLS_PSA_CORE_SOURCES EXCLUDE REGEX "psa_crypto_driver_wrappers_no_static\\.c$")
+file(GLOB MBEDTLS_BUILTIN_SOURCES CONFIGURE_DEPENDS ${TF_PSA_CRYPTO_BUILTIN_DIR}/*.c)
+
+add_library(mbedcrypto STATIC
+    ${MBEDTLS_PSA_CORE_SOURCES}
+    ${MBEDTLS_BUILTIN_SOURCES}
+    ${MBEDTLS_PSA_WRAPPERS_C}
+    ${MBEDTLS_PSA_WRAPPERS_H}
+    ${MBEDTLS_TF_PSA_CONFIG_HEADERS}
+)
+
+target_include_directories(mbedcrypto PRIVATE
+    ${MBEDTLS_DIR}/include
+    ${TF_PSA_CRYPTO_INCLUDE_DIR}
+    ${TF_PSA_CRYPTO_CORE_DIR}
+    ${CMAKE_CURRENT_BINARY_DIR}/mbedtls_generated
+    ${TF_PSA_CRYPTO_BUILTIN_INCLUDE_DIR}
+    ${TF_PSA_CRYPTO_BUILTIN_DIR}
+)
+
+target_link_libraries(mbedcrypto PRIVATE bcrypt)
 
 # get mbedtls version with git describe
 execute_process(
@@ -137,7 +246,17 @@ file(GLOB_RECURSE libModSecuritySources ${BASE_DIR}/src/*.cc)
 add_library(libModSecurity SHARED ${libModSecuritySources})
 
 target_compile_definitions(libModSecurity PRIVATE WITH_PCRE2)
-target_include_directories(libModSecurity PRIVATE ${BASE_DIR} ${BASE_DIR}/headers ${BASE_DIR}/others ${MBEDTLS_DIR}/include)
+target_include_directories(libModSecurity PRIVATE
+    ${BASE_DIR}
+    ${BASE_DIR}/headers
+    ${BASE_DIR}/others
+    ${MBEDTLS_DIR}/include
+    ${TF_PSA_CRYPTO_INCLUDE_DIR}
+    ${TF_PSA_CRYPTO_CORE_DIR}
+    ${CMAKE_CURRENT_BINARY_DIR}/mbedtls_generated
+    ${TF_PSA_CRYPTO_BUILTIN_INCLUDE_DIR}
+    ${TF_PSA_CRYPTO_BUILTIN_DIR}
+)
 target_link_libraries(libModSecurity PRIVATE pcre2::pcre2 libinjection mbedcrypto Poco::Poco Iphlpapi.lib)
 
 macro(add_package_dependency project compile_definition link_library flag)
@@ -164,7 +283,17 @@ project(libModSecurityTests)
 
 function(setTestTargetProperties executable)
   target_compile_definitions(${executable} PRIVATE WITH_PCRE2)
-  target_include_directories(${executable} PRIVATE ${BASE_DIR} ${BASE_DIR}/headers)
+  target_include_directories(${executable} PRIVATE
+    ${BASE_DIR}
+    ${BASE_DIR}/headers
+    ${BASE_DIR}/others
+    ${MBEDTLS_DIR}/include
+    ${TF_PSA_CRYPTO_INCLUDE_DIR}
+    ${TF_PSA_CRYPTO_CORE_DIR}
+    ${CMAKE_CURRENT_BINARY_DIR}/mbedtls_generated
+    ${TF_PSA_CRYPTO_BUILTIN_INCLUDE_DIR}
+    ${TF_PSA_CRYPTO_BUILTIN_DIR}
+  )
   target_link_libraries(${executable} PRIVATE libModSecurity pcre2::pcre2 dirent::dirent)
   add_package_dependency(${executable} WITH_YAJL yajl::yajl HAVE_YAJL)
 endfunction()