Skip to content

Add initial mbedTLS v4 support#3532

Open
Easton97-Jens wants to merge 13 commits intoowasp-modsecurity:v3/masterfrom
Easton97-Jens:v3/master-mbedtl-v4
Open

Add initial mbedTLS v4 support#3532
Easton97-Jens wants to merge 13 commits intoowasp-modsecurity:v3/masterfrom
Easton97-Jens:v3/master-mbedtl-v4

Conversation

@Easton97-Jens
Copy link
Copy Markdown
Contributor

@Easton97-Jens Easton97-Jens commented Apr 2, 2026

what

  • Added initial support for Mbed TLS 4.x (TF-PSA-Crypto layout)
  • Updated build system (autotools + CMake) to use new TF-PSA include paths and sources
  • Replaced direct usage of deprecated/removed headers (md5.h, sha1.h) with generic mbedtls_md API
  • Adjusted include paths and compiler flags to match the new directory structure
  • Updated detection logic in configure.ac to work with Mbed TLS 4.x layout
  • Ensured compatibility without changing external targets or package discovery behavior

why

  • Mbed TLS 4.x introduces breaking changes and a new internal layout (TF-PSA-Crypto)
  • Previous build logic relied on files like library/base64.c which no longer exist in 4.x
  • This caused build failures during ./configure and compilation
  • These changes allow ModSecurity to build successfully with modern Mbed TLS versions
  • Keeps changes minimal and backward-compatible with existing build expectations

references

@airween airween requested a review from Copilot April 2, 2026 17:54
Copilot AI reviewed Apr 2, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds initial build/runtime compatibility with Mbed TLS 4.x’s TF-PSA-Crypto layout by updating bundled Mbed TLS paths/sources and migrating MD5/SHA1 hashing to the generic mbedtls_md API.

Changes:

  • Switch MD5/SHA1 helpers from deprecated per-hash headers/functions to mbedtls_md (mbedtls/md.h + mbedtls_md()).
  • Update autotools build files to include TF-PSA-Crypto include paths and compile the new TF-PSA-Crypto source locations.
  • Update Win32 CMake build to compile the TF-PSA-Crypto source set and adjust include directories accordingly.

Reviewed changes

Copilot reviewed 8 out of 8 changed files in this pull request and generated 2 comments.

Show a summary per file
File Description
src/utils/sha1.h Migrates digest implementation to generic mbedtls_md API.
src/utils/md5.h Updates MD5 wrapper to use the updated DigestImpl template.
src/Makefile.am Adds TF-PSA-Crypto include paths for libmodsecurity compilation.
others/Makefile.am Repoints bundled Mbed TLS subset headers/sources to TF-PSA-Crypto layout.
Makefile.am Extends cppcheck include paths for TF-PSA-Crypto headers.
configure.ac Updates configure-time check to detect TF-PSA-Crypto base64 source path.
build/win32/CMakeLists.txt Rebuilds bundled crypto subset from TF-PSA-Crypto sources and updates include dirs.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@Easton97-Jens
utils: harden digest helper runtime checks
7330fb2
@Easton97-Jens
Merge pull request #35 from Easton97-Jens/codex/fix-runtime-validatio…
5238e2b 
…n-in-sha1.h

Handle mbedtls errors and use unsigned buffer for digest in SHA1 utils
@Easton97-Jens
Refactor digest helper buffer and parameter types
a4a864c
@Easton97-Jens
Merge pull request #37 from Easton97-Jens/codex/update-sha1.h-for-son…
ed0202d 
…arcloud-findings

Use std::string_view and std::array in DigestImpl::digestHelper
@airween
Copy link
Copy Markdown
Member

airween commented Apr 3, 2026

Hi @Easton97-Jens,

there are two SonarCloud reports in sha1.cc file, please take a look at them.

@Easton97-Jens
Replace SHA1 buffer reinterpret_casts with safer casts
ea9c775
@Easton97-Jens
Merge pull request #39 from Easton97-Jens/codex/fix-sonarqube-warning…
0a45b37 
…s-in-sha1.h

Remove reinterpret_casts in src/utils/sha1.h; use safer static_cast via void*
@airween airween requested a review from Copilot April 3, 2026 12:01
Copilot AI reviewed Apr 3, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 8 out of 8 changed files in this pull request and generated 1 comment.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@Easton97-Jens
Improve error handling in SHA1 digest implementation
c5a4b19 
Added error handling for mbedtls_md_info_from_type and mbedtls_md calls in digestHelper.
@Easton97-Jens
Refactor SHA1 utility with exception handling
7c0e6e9
@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud bot commented Apr 3, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Build fails because of missing library/base64.c when using Mbed TLS 4.x — Is support planned?

3 participants

@Easton97-Jens @airween