Add initial mbedTLS v4 support

Makefile.am

@@ -63,7 +63,7 @@ cppcheck:
 		--enable=warning,style,performance,portability,unusedFunction,missingInclude \
 		--inconclusive \
 		--template="warning: {file},{line},{severity},{id},{message}" \
-		-I headers -I . -I $(top_srcdir)/others -I $(top_srcdir)/src -I $(top_srcdir)/others/mbedtls/include \
+		-I headers -I . -I $(top_srcdir)/others -I $(top_srcdir)/src -I $(top_srcdir)/others/mbedtls/include -I $(top_srcdir)/others/mbedtls/tf-psa-crypto/include -I $(top_srcdir)/others/mbedtls/tf-psa-crypto/drivers/builtin/include \
 		--error-exitcode=1 \
 		-i "src/parser/seclang-parser.cc" -i "src/parser/seclang-scanner.cc" \
 		-i others \
@@ -99,4 +99,3 @@ pkgconfig_DATA = modsecurity.pc
 EXTRA_DIST = modsecurity.pc.in \
              modsecurity.conf-recommended \
              unicode.mapping
-

README.md

@@ -47,36 +47,51 @@ Keeping these connectors separated allows each project to have different release
 
 # Compilation
 
-Before starting the compilation process, make sure that you have all the
-dependencies in place. Read the subsection “Dependencies”  for further
-information.
+Before starting the compilation process, make sure that all required dependencies are installed.  
+See the [Dependencies](#dependencies) and [Git submodules](#Git-submodules) section for further information.
 
-After the compilation make sure that there are no issues on your
-build/platform. We strongly recommend the utilization of the unit tests and
-regression tests. These test utilities are located under the subfolder ‘tests’.
+After compilation, make sure that there are no issues on your build/platform.  
+We strongly recommend running the unit tests and regression tests. These test utilities are located in the [`tests/`](#testing-your-patch) subfolder.
 
-As a dynamic library, don’t forget that libmodsecurity must be installed to a location (folder) where you OS will be looking for dynamic libraries.
+As a dynamic library, `libmodsecurity` must be installed in a location where your operating system can find dynamic libraries.
 
+### Unix (Linux, macOS, FreeBSD, …)
 
+On Unix-like systems, the project uses autotools for the compilation process.
 
-### Unix (Linux, MacOS, FreeBSD, …)
+If you are working with a git checkout, make sure to clone the repository recursively or initialize all submodules before building.  
+See also the [Git submodules](#git-submodules) section.
 
-On unix the project uses autotools to help the compilation process. Please note that if you are working with `git`, don't forget to initialize and update the submodules. Here's a quick how-to:
-```shell
-$ git clone --recursive https://github.com/owasp-modsecurity/ModSecurity ModSecurity
-$ cd ModSecurity
+```sh
+git clone https://github.com/owasp-modsecurity/ModSecurity ModSecurity
+cd ModSecurity
+````
+
+This repository uses git submodules. After cloning, make sure to initialize and fetch all submodules:
+
+```sh
+git submodule update --init --recursive
+```
+
+You can verify that all submodules are properly initialized with:
+
+```sh
+git submodule status
 ```
 
+Submodules that are correctly initialized show a commit hash.
+A leading `-` indicates that the submodule has not been initialized.
+
 You can then start the build process:
 
-```shell
-$ ./build.sh
-$ ./configure
-$ make
-$ sudo make install
+```sh
+./build.sh
+./configure
+make
+sudo make install
 ```
 
-Details on distribution specific builds can be found in our Wiki:
+Details on distribution-specific builds can be found in our Wiki:
 [Compilation Recipes](https://github.com/owasp-modsecurity/ModSecurity/wiki/Compilation-recipes)
 
 ### Windows
@@ -85,15 +100,110 @@ Windows build information can be found [here](build/win32/README.md).
 
 ## Dependencies
 
-This library is written in C++ using the C++17 standards. It also uses Flex
-and Yacc to produce the “Sec Rules Language” parser. Other, mandatory dependencies include YAJL, as ModSecurity uses JSON for producing logs and its testing framework, libpcre (not yet mandatory) for processing regular expressions in SecRules, and libXML2 (not yet mandatory) which is used for parsing XML requests.
+* This library is written in C++ using the C++17 standard.
+* It uses Flex and Bison (Yacc) to produce the “Sec Rules Language” parser.
+* Mandatory dependencies include YAJL, as ModSecurity uses JSON for logging and its testing framework.
+* libXML2 (optional) is used for parsing XML requests.
+
+### Regular expression engine (PCRE2 / PCRE)
+
+* Regular expression processing in SecRules is implemented via the `Regex` utility (`src/utils/regex.*`).
+* By default, ModSecurity uses **PCRE2** for regex handling.
+* This is used by operators such as `@rx`, `@rxGlobal`, and `@verifyCC`.
+* Build-time behavior:
+
+  * **Default:** PCRE2 is detected and used.
+  * **Fallback:** legacy PCRE can be used if `--with-pcre` is explicitly provided (`WITH_PCRE`).
+* In other words, current builds expect PCRE2 unless explicitly configured otherwise.
+
+All other dependencies are related to operators specified within SecRules or configuration directives and may not be required for compilation.
+
+### Operator-related dependencies
+
+* `libinjection` is required for the operators `@detectXSS` and `@detectSQL`.
+* `curl` is required for the directive `SecRemoteRules`.
+
+If those libraries are missing, ModSecurity will be compiled without support for the respective operators or directives.
+
+### Git-submodules
+
+The repository includes the following submodules:
+
+* `others/libinjection` – used by `@detectSQLi` and `@detectXSS` operators.
+
+* `others/mbedtls` (TF-PSA-Crypto subset) – used for cryptographic functions and helpers (e.g. hashing, base64).
+
+  **Note:** The newer mbedTLS v4 layout is not compatible with the older v3 structure.
+  The internal structure has changed significantly, and many components have been moved into submodules (e.g. TF-PSA-Crypto).
+
+  After merging PR #3532, it is required to run:
+
+  ```sh
+  git submodule update --init --recursive
+  ```
+
+  This ensures that all required submodules are fetched. Without this step, the project will not build successfully.
+
+  You can verify that all submodules are properly initialized with:
+
+  ```sh
+  git submodule status
+  ```
+
+  Example output:
+
+  ```sh
+  bc625d5... bindings/python
+  2117822... others/libinjection (v4.0.0)
+  0fe989b... others/mbedtls (v4.1.0)
+  a3d4405... test/test-cases/secrules-language-tests
+  ```
+
+  If a submodule is missing, it will be shown with a leading `-`, for example:
+
+  ```sh
+  -bc625d5... bindings/python
+  ```
+
+  A leading `-` indicates that the submodule has not been initialized or fetched.
+
+* `test/test-cases/secrules-language-tests` – shared SecRules conformance and regression test suite used by `make check`.
+
+* `bindings/python` – Python bindings for ModSecurity (not required for core library compilation).
+
+`others/libinjection` and `others/mbedtls` are effectively required for source builds and must be initialized before building.
+
+### Optional external dependencies
+
+Several external libraries are optional and enable additional features, including:
+
+* `libcurl` – required for `SecRemoteRules`
+
+* LMDB – persistent storage support
+
+* Lua – scripting support
+
+* XML libraries – extended XML processing
+
+* **GeoIP (legacy) / MaxMind**
+
+  The legacy **GeoIP C API** (libGeoIP) is **deprecated and no longer maintained** by MaxMind.
+  The upstream repository has been archived and should not be used for new deployments.
+
+  Instead, ModSecurity supports the modern **MaxMind DB API (libmaxminddb)**, which is actively maintained.
+
+  During configuration you may see something like:
+
+  ```sh
+  + GeoIP/MaxMind                                 ....found
+      * (MaxMind) v1.12.2
+         -lmaxminddb , -I/usr/include/x86_64-linux-gnu
+  ```
 
-All others dependencies are related to operators specified within SecRules or configuration directives and may not be required for compilation. A short list of such dependencies is as follows:
+  This indicates that **libmaxminddb** is being used (recommended).
 
-* libinjection is needed for the operator @detectXSS and @detectSQL
-* curl is needed for the directive SecRemoteRules.
+  It is strongly recommended to use MaxMind DB instead of the legacy GeoIP library.
 
-If those libraries are missing ModSecurity will be compiled without the support for the operator @detectXSS and the configuration directive SecRemoteRules.
 
 # Library documentation
 

build/win32/CMakeLists.txt

@@ -51,10 +51,32 @@ target_compile_definitions(libinjection PRIVATE LIBINJECTION_VERSION="${LIBINJEC
 project(mbedcrypto C)
 
 set(MBEDTLS_DIR ${BASE_DIR}/others/mbedtls)
+set(TF_PSA_CRYPTO_DIR ${MBEDTLS_DIR}/tf-psa-crypto)
+
+add_library(mbedcrypto STATIC
+  ${TF_PSA_CRYPTO_DIR}/utilities/base64.c
+  ${TF_PSA_CRYPTO_DIR}/utilities/constant_time.c
+  ${TF_PSA_CRYPTO_DIR}/platform/platform_util.c
+  ${TF_PSA_CRYPTO_DIR}/extras/md.c
+  ${TF_PSA_CRYPTO_DIR}/drivers/builtin/src/md5.c
+  ${TF_PSA_CRYPTO_DIR}/drivers/builtin/src/sha1.c
+  ${TF_PSA_CRYPTO_DIR}/drivers/builtin/src/sha256.c
+  ${TF_PSA_CRYPTO_DIR}/drivers/builtin/src/sha512.c
+  ${TF_PSA_CRYPTO_DIR}/drivers/builtin/src/sha3.c
+  ${TF_PSA_CRYPTO_DIR}/drivers/builtin/src/ripemd160.c
+  ${TF_PSA_CRYPTO_DIR}/drivers/builtin/src/psa_util_internal.c
+)
 
-add_library(mbedcrypto STATIC ${MBEDTLS_DIR}/library/base64.c ${MBEDTLS_DIR}/library/sha1.c ${MBEDTLS_DIR}/library/md5.c ${MBEDTLS_DIR}/library/platform_util.c ${MBEDTLS_DIR}/library/constant_time.c)
-
-target_include_directories(mbedcrypto PRIVATE ${MBEDTLS_DIR}/include)
+target_include_directories(mbedcrypto PRIVATE
+  ${MBEDTLS_DIR}/include
+  ${TF_PSA_CRYPTO_DIR}/include
+  ${TF_PSA_CRYPTO_DIR}/core
+  ${TF_PSA_CRYPTO_DIR}/extras
+  ${TF_PSA_CRYPTO_DIR}/library
+  ${TF_PSA_CRYPTO_DIR}/utilities
+  ${TF_PSA_CRYPTO_DIR}/drivers/builtin/include
+  ${TF_PSA_CRYPTO_DIR}/drivers/builtin/src
+)
 
 # get mbedtls version with git describe
 execute_process(
@@ -72,7 +94,7 @@ message("-- Detecting Mbed TLS version - ${MBEDTLS_VERSION}")
 
 project(libModSecurity
     VERSION
-        3.0.12
+        3.0.14
     LANGUAGES
         CXX
 )
@@ -137,7 +159,7 @@ file(GLOB_RECURSE libModSecuritySources ${BASE_DIR}/src/*.cc)
 add_library(libModSecurity SHARED ${libModSecuritySources})
 
 target_compile_definitions(libModSecurity PRIVATE WITH_PCRE2)
-target_include_directories(libModSecurity PRIVATE ${BASE_DIR} ${BASE_DIR}/headers ${BASE_DIR}/others ${MBEDTLS_DIR}/include)
+target_include_directories(libModSecurity PRIVATE ${BASE_DIR} ${BASE_DIR}/headers ${BASE_DIR}/others ${MBEDTLS_DIR}/include ${TF_PSA_CRYPTO_DIR}/include ${TF_PSA_CRYPTO_DIR}/drivers/builtin/include)
 target_link_libraries(libModSecurity PRIVATE pcre2::pcre2 libinjection mbedcrypto Poco::Poco Iphlpapi.lib)
 
 macro(add_package_dependency project compile_definition link_library flag)

build/win32/README.md

@@ -18,15 +18,15 @@ The Windows build of libModSecurity uses Build Tools for Visual Studio 2022 (for
         * Windows SDK
         * CMake
         * Address Sanitizer
- * [Conan package manager 2.10.2](https://github.com/conan-io/conan/releases/download/2.10.2/conan-2.10.2-windows-x86_64-installer.exe)
+ * [Conan package manager 2.27.1](https://github.com/conan-io/conan/releases/download/2.27.1/conan-2.27.1-windows-x86_64-installer.exe)
     * Install and then setup the default Conan profile to use the MSVC C++ compiler:
       1. Open a command-prompt and set the MSVC C++ compiler environment by executing: `C:\BuildTools\VC\Auxiliary\Build\vcvars64.bat`
       2. Execute: `conan profile detect --force`
- * [Git for Windows 2.44.0](https://github.com/git-for-windows/git/releases/download/v2.44.0.windows.1/Git-2.44.0-64-bit.exe)
+ * [Git for Windows 2.53.0](https://github.com/git-for-windows/git/releases/download/v2.53.0.windows.1/Git-2.53.0-64-bit.exe)
     * To clone the libModSecurity repository.
-    * NOTE: Make sure to initialize and update submodules (to get `libinjection` and regression tests)
-      * `git submodule init`
-      * `git submodule update`
+    * NOTE: Make sure to initialize and update submodules (to get `libinjection`, `mbedtls` and regression tests)
+      * `git submodule update --init --recursive`
+      * `git submodule status`
 
 ## Build
 
@@ -65,11 +65,11 @@ NOTE: When building a different configuration, it's recommended to reset:
 
 By default the following all the following features are enabled by including the associated third-party library through a Conan package:
 
- * libxml2 2.12.6 for XML processing support
- * libcurl 8.6.0 to support http requests from rules
- * libmaxminddb 1.9.1 to support reading MaxMind DB files.
- * LUA 5.4.6 to enable rules to run scripts in this language for extensibility
- * lmdb 0.9.31 in-memory database
+ * libxml2 2.15.2 for XML processing support
+ * libcurl 8.19.0 to support http requests from rules
+ * libmaxminddb 1.12.2 to support reading MaxMind DB files.
+ * LUA 5.5.0 to enable rules to run scripts in this language for extensibility
+ * lmdb 0.9.32 in-memory database
 
 Each of these can be turned off by updating the associated `HAVE_xxx` variable (setting it to zero) in the beginning of the libModSecurity section of `CMakeLists.txt`.
 

build/win32/conanfile.txt

@@ -1,13 +1,13 @@
 [requires]
 yajl/2.1.0
-pcre2/10.42
-libxml2/2.12.6
-lua/5.4.6
-libcurl/8.6.0
-lmdb/0.9.31
-libmaxminddb/1.9.1
+pcre2/10.44
+libxml2/2.15.2
+lua/5.5.0
+libcurl/8.19.0
+lmdb/0.9.32
+libmaxminddb/1.12.2
 dirent/1.24
-poco/1.13.3
+poco/1.14.2
 
 [generators]
 CMakeDeps

build/win32/docker/Dockerfile

@@ -24,7 +24,7 @@ RUN C:\TEMP\InstallBuildTools.cmd C:\TEMP\vs_buildtools.exe --quiet --wait --nor
     --installPath C:\BuildTools
 
 # download & install GIT
-ARG GIT_VERSION=2.44.0
+ARG GIT_VERSION=2.53.0
 ARG GIT_BINARY=Git-${GIT_VERSION}-64-bit.exe
 ARG GIT_URL=https://github.com/git-for-windows/git/releases/download/v${GIT_VERSION}.windows.1/${GIT_BINARY}
 
@@ -35,7 +35,7 @@ RUN %INSTALLER% /SP- /VERYSILENT /SUPPRESSMSGBOXES /NOCANCEL `
     /NORESTART /CLOSEAPPLICATIONS /RESTARTAPPLICATIONS /LOADINF=git.inf
 
 # download & setup conan
-ARG CONAN_VERSION=2.10.2
+ARG CONAN_VERSION=2.27.1
 ARG CONAN_BINARY=conan-${CONAN_VERSION}-windows-x86_64-installer.exe
 ARG CONAN_URL=https://github.com/conan-io/conan/releases/download/${CONAN_VERSION}/${CONAN_BINARY}
 
@@ -87,7 +87,7 @@ RUN cmd.exe /C copy "C:\Program Files\GIT\usr\bin" \bin > NUL
 RUN cmd.exe /C copy "C:\Program Files\GIT\usr\bin\echo.exe" \bin\echo > NUL
 
 # disable tests that don't work on windows
-ARG JQ_VERSION=1.7.1
+ARG JQ_VERSION=1.8.1
 ARG JQ_BINARY=jq-windows-amd64.exe
 ARG JQ_URL=https://github.com/jqlang/jq/releases/download/jq-${JQ_VERSION}/${JQ_BINARY}
 

configure.ac

@@ -84,7 +84,7 @@ AC_DEFUN([LIBINJECTION_VERSION], m4_esyscmd_s(cd "others/libinjection" && git de
 AC_SUBST([LIBINJECTION_VERSION])
 
 # Check for Mbed TLS
-if ! test -f "${srcdir}/others/mbedtls/library/base64.c"; then
+if ! test -f "${srcdir}/others/mbedtls/tf-psa-crypto/utilities/base64.c"; then
 AC_MSG_ERROR([\
 
 
@@ -532,4 +532,3 @@ if test "$aflFuzzer" = "true"; then
     echo "  $ export CC=afl-clang-fast "
     echo " "
 fi
-

others/Makefile.am

@@ -16,19 +16,25 @@ noinst_HEADERS = \
 	libinjection/src/libinjection_sqli_data.h \
 	libinjection/src/libinjection_xss.h \
 	libinjection/src/libinjection_error.h \
-	mbedtls/include/mbedtls/base64.h \
-	mbedtls/include/mbedtls/check_config.h \
+	mbedtls/tf-psa-crypto/include/mbedtls/base64.h \
+	mbedtls/tf-psa-crypto/core/check_crypto_config.h \
 	mbedtls/include/mbedtls/mbedtls_config.h \
-	mbedtls/include/mbedtls/md5.h \
-	mbedtls/include/mbedtls/platform.h \
-	mbedtls/include/mbedtls/sha1.h
+	mbedtls/tf-psa-crypto/include/mbedtls/md.h \
+	mbedtls/tf-psa-crypto/include/mbedtls/platform.h
 
 libmbedtls_la_SOURCES = \
-	mbedtls/library/base64.c \
-	mbedtls/library/md5.c \
-	mbedtls/library/sha1.c \
-	mbedtls/library/platform_util.c
+	mbedtls/tf-psa-crypto/utilities/base64.c \
+	mbedtls/tf-psa-crypto/utilities/constant_time.c \
+	mbedtls/tf-psa-crypto/platform/platform_util.c \
+	mbedtls/tf-psa-crypto/extras/md.c \
+	mbedtls/tf-psa-crypto/drivers/builtin/src/md5.c \
+	mbedtls/tf-psa-crypto/drivers/builtin/src/sha1.c \
+	mbedtls/tf-psa-crypto/drivers/builtin/src/sha256.c \
+	mbedtls/tf-psa-crypto/drivers/builtin/src/sha512.c \
+	mbedtls/tf-psa-crypto/drivers/builtin/src/sha3.c \
+	mbedtls/tf-psa-crypto/drivers/builtin/src/ripemd160.c \
+	mbedtls/tf-psa-crypto/drivers/builtin/src/psa_util_internal.c
 
-libmbedtls_la_CFLAGS = -DMBEDTLS_CONFIG_FILE=\"mbedtls/mbedtls_config.h\" -I$(top_srcdir)/others/mbedtls/include
+libmbedtls_la_CFLAGS = -DMBEDTLS_CONFIG_FILE=\"mbedtls/mbedtls_config.h\" -I$(top_srcdir)/others/mbedtls/include -I$(top_srcdir)/others/mbedtls/tf-psa-crypto/include -I$(top_srcdir)/others/mbedtls/tf-psa-crypto/core -I$(top_srcdir)/others/mbedtls/tf-psa-crypto/extras -I$(top_srcdir)/others/mbedtls/tf-psa-crypto/library -I$(top_srcdir)/others/mbedtls/tf-psa-crypto/utilities -I$(top_srcdir)/others/mbedtls/tf-psa-crypto/drivers/builtin/include -I$(top_srcdir)/others/mbedtls/tf-psa-crypto/drivers/builtin/src
 libmbedtls_la_CPPFLAGS =
 libmbedtls_la_LIBADD =