Skip to content

Add initial mbedTLS v4 support#3532

Open
Easton97-Jens wants to merge 7 commits intoowasp-modsecurity:v3/masterfrom
Easton97-Jens:v3/master-mbedtl-v4
Open

Add initial mbedTLS v4 support#3532
Easton97-Jens wants to merge 7 commits intoowasp-modsecurity:v3/masterfrom
Easton97-Jens:v3/master-mbedtl-v4

Conversation

@Easton97-Jens
Copy link
Copy Markdown
Contributor

@Easton97-Jens Easton97-Jens commented Apr 2, 2026

what

  • Added initial support for Mbed TLS 4.x (TF-PSA-Crypto layout)
  • Updated build system (autotools + CMake) to use new TF-PSA include paths and sources
  • Replaced direct usage of deprecated/removed headers (md5.h, sha1.h) with generic mbedtls_md API
  • Adjusted include paths and compiler flags to match the new directory structure
  • Updated detection logic in configure.ac to work with Mbed TLS 4.x layout
  • Ensured compatibility without changing external targets or package discovery behavior

why

  • Mbed TLS 4.x introduces breaking changes and a new internal layout (TF-PSA-Crypto)
  • Previous build logic relied on files like library/base64.c which no longer exist in 4.x
  • This caused build failures during ./configure and compilation
  • These changes allow ModSecurity to build successfully with modern Mbed TLS versions
  • Keeps changes minimal and backward-compatible with existing build expectations

references

@airween airween requested a review from Copilot April 2, 2026 17:54
Copilot AI reviewed Apr 2, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds initial build/runtime compatibility with Mbed TLS 4.x’s TF-PSA-Crypto layout by updating bundled Mbed TLS paths/sources and migrating MD5/SHA1 hashing to the generic mbedtls_md API.

Changes:

  • Switch MD5/SHA1 helpers from deprecated per-hash headers/functions to mbedtls_md (mbedtls/md.h + mbedtls_md()).
  • Update autotools build files to include TF-PSA-Crypto include paths and compile the new TF-PSA-Crypto source locations.
  • Update Win32 CMake build to compile the TF-PSA-Crypto source set and adjust include directories accordingly.

Reviewed changes

Copilot reviewed 8 out of 8 changed files in this pull request and generated 2 comments.

Show a summary per file
File Description
src/utils/sha1.h Migrates digest implementation to generic mbedtls_md API.
src/utils/md5.h Updates MD5 wrapper to use the updated DigestImpl template.
src/Makefile.am Adds TF-PSA-Crypto include paths for libmodsecurity compilation.
others/Makefile.am Repoints bundled Mbed TLS subset headers/sources to TF-PSA-Crypto layout.
Makefile.am Extends cppcheck include paths for TF-PSA-Crypto headers.
configure.ac Updates configure-time check to detect TF-PSA-Crypto base64 source path.
build/win32/CMakeLists.txt Rebuilds bundled crypto subset from TF-PSA-Crypto sources and updates include dirs.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread src/utils/sha1.h Outdated
Comment thread src/utils/sha1.h Outdated
@airween
Copy link
Copy Markdown
Member

airween commented Apr 3, 2026

Hi @Easton97-Jens,

there are two SonarCloud reports in sha1.cc file, please take a look at them.

@airween airween requested a review from Copilot April 3, 2026 12:01
Copilot AI reviewed Apr 3, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 8 out of 8 changed files in this pull request and generated 1 comment.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread src/utils/sha1.h Outdated
@Easton97-Jens
Refactor and improve SHA1 digest handling and mbedtls integration
c43e0c8 
- Migrate to TF-PSA-Crypto layout
- Fix include and linkage issues
- Harden runtime checks
- Improve error and exception handling
- Refactor digest helper and buffer usage
@airween airween requested a review from Copilot April 18, 2026 15:43
Copilot AI reviewed Apr 18, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 8 out of 8 changed files in this pull request and generated 3 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread src/utils/sha1.h
Comment thread src/utils/sha1.h Outdated
Comment thread src/utils/sha1.h
Easton97-Jens and others added 3 commits April 18, 2026 17:49
@Easton97-Jens
Merge branch 'v3/master' into v3/master-mbedtl-v4
759843d
@Easton97-Jens
Update Makefile.am
6afa94b
@Easton97-Jens
sha1/md5: fix exception safety, remove copy, and own exception message
d713740 
sha1/md5: fix exception safety, remove copy, and own exception message

sha1/md5: fix exception safety, remove copy, and own exception message

sha1/md5: fix exception safety, remove copy, and own exception message

sha1/md5: fix exception safety, remove copy, and own exception message

win update

win update
@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud Bot commented Apr 20, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@airween airween requested a review from Copilot April 22, 2026 15:32
@airween airween added the 3.x Related to ModSecurity version 3.x label Apr 22, 2026
Copilot AI reviewed Apr 22, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 11 out of 11 changed files in this pull request and generated 6 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread src/utils/sha1.h
Comment on lines +52 to +55
} catch (const DigestCalculationException&) {
assert(false);
return std::string(DigestSize, '\0');
}
Comment thread src/utils/sha1.h
Comment on lines +62 to +65
} catch (const DigestCalculationException&) {
assert(false);
value.assign(DigestSize, '\0');
}
Comment thread src/utils/sha1.h
Comment on lines +75 to +78
} catch (const DigestCalculationException&) {
assert(false);
const std::array<unsigned char, DigestSize> digestBytes = {};
const auto *digestByteData =
Comment thread configure.ac

# Check for Mbed TLS
if ! test -f "${srcdir}/others/mbedtls/library/base64.c"; then
if ! test -f "${srcdir}/others/mbedtls/tf-psa-crypto/utilities/base64.c"; then
Comment thread build/win32/CMakeLists.txt
Comment on lines 53 to +57
set(MBEDTLS_DIR ${BASE_DIR}/others/mbedtls)
set(TF_PSA_CRYPTO_DIR ${MBEDTLS_DIR}/tf-psa-crypto)

add_library(mbedcrypto STATIC
${TF_PSA_CRYPTO_DIR}/utilities/base64.c
Comment thread build/win32/CMakeLists.txt
Comment on lines 95 to 99
project(libModSecurity
VERSION
3.0.12
3.0.14
LANGUAGES
CXX
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

3.x Related to ModSecurity version 3.x

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Build fails because of missing library/base64.c when using Mbed TLS 4.x — Is support planned?

3 participants

@Easton97-Jens @airween