Refactor and improve SHA1 digest handling and mbedtls integration

- Migrate to TF-PSA-Crypto layout
- Fix include and linkage issues
- Harden runtime checks
- Improve error and exception handling
- Refactor digest helper and buffer usage

Author: Easton97-Jens

Makefile.am

@@ -63,7 +63,7 @@ cppcheck:
 		--enable=warning,style,performance,portability,unusedFunction,missingInclude \
 		--inconclusive \
 		--template="warning: {file},{line},{severity},{id},{message}" \
-		-I headers -I . -I $(top_srcdir)/others -I $(top_srcdir)/src -I $(top_srcdir)/others/mbedtls/include \
+		-I headers -I . -I $(top_srcdir)/others -I $(top_srcdir)/src -I $(top_srcdir)/others/mbedtls/include -I $(top_srcdir)/others/mbedtls/tf-psa-crypto/include -I $(top_srcdir)/others/mbedtls/tf-psa-crypto/drivers/builtin/include \
 		--error-exitcode=1 \
 		-i "src/parser/seclang-parser.cc" -i "src/parser/seclang-scanner.cc" \
 		-i others \
@@ -99,4 +99,3 @@ pkgconfig_DATA = modsecurity.pc
 EXTRA_DIST = modsecurity.pc.in \
              modsecurity.conf-recommended \
              unicode.mapping
-

build/win32/CMakeLists.txt

@@ -51,10 +51,32 @@ target_compile_definitions(libinjection PRIVATE LIBINJECTION_VERSION="${LIBINJEC
 project(mbedcrypto C)
 
 set(MBEDTLS_DIR ${BASE_DIR}/others/mbedtls)
+set(TF_PSA_CRYPTO_DIR ${MBEDTLS_DIR}/tf-psa-crypto)
+
+add_library(mbedcrypto STATIC
+  ${TF_PSA_CRYPTO_DIR}/utilities/base64.c
+  ${TF_PSA_CRYPTO_DIR}/utilities/constant_time.c
+  ${TF_PSA_CRYPTO_DIR}/platform/platform_util.c
+  ${TF_PSA_CRYPTO_DIR}/extras/md.c
+  ${TF_PSA_CRYPTO_DIR}/drivers/builtin/src/md5.c
+  ${TF_PSA_CRYPTO_DIR}/drivers/builtin/src/sha1.c
+  ${TF_PSA_CRYPTO_DIR}/drivers/builtin/src/sha256.c
+  ${TF_PSA_CRYPTO_DIR}/drivers/builtin/src/sha512.c
+  ${TF_PSA_CRYPTO_DIR}/drivers/builtin/src/sha3.c
+  ${TF_PSA_CRYPTO_DIR}/drivers/builtin/src/ripemd160.c
+  ${TF_PSA_CRYPTO_DIR}/drivers/builtin/src/psa_util_internal.c
+)
 
-add_library(mbedcrypto STATIC ${MBEDTLS_DIR}/library/base64.c ${MBEDTLS_DIR}/library/sha1.c ${MBEDTLS_DIR}/library/md5.c ${MBEDTLS_DIR}/library/platform_util.c ${MBEDTLS_DIR}/library/constant_time.c)
-
-target_include_directories(mbedcrypto PRIVATE ${MBEDTLS_DIR}/include)
+target_include_directories(mbedcrypto PRIVATE
+  ${MBEDTLS_DIR}/include
+  ${TF_PSA_CRYPTO_DIR}/include
+  ${TF_PSA_CRYPTO_DIR}/core
+  ${TF_PSA_CRYPTO_DIR}/extras
+  ${TF_PSA_CRYPTO_DIR}/library
+  ${TF_PSA_CRYPTO_DIR}/utilities
+  ${TF_PSA_CRYPTO_DIR}/drivers/builtin/include
+  ${TF_PSA_CRYPTO_DIR}/drivers/builtin/src
+)
 
 # get mbedtls version with git describe
 execute_process(
@@ -137,7 +159,7 @@ file(GLOB_RECURSE libModSecuritySources ${BASE_DIR}/src/*.cc)
 add_library(libModSecurity SHARED ${libModSecuritySources})
 
 target_compile_definitions(libModSecurity PRIVATE WITH_PCRE2)
-target_include_directories(libModSecurity PRIVATE ${BASE_DIR} ${BASE_DIR}/headers ${BASE_DIR}/others ${MBEDTLS_DIR}/include)
+target_include_directories(libModSecurity PRIVATE ${BASE_DIR} ${BASE_DIR}/headers ${BASE_DIR}/others ${MBEDTLS_DIR}/include ${TF_PSA_CRYPTO_DIR}/include ${TF_PSA_CRYPTO_DIR}/drivers/builtin/include)
 target_link_libraries(libModSecurity PRIVATE pcre2::pcre2 libinjection mbedcrypto Poco::Poco Iphlpapi.lib)
 
 macro(add_package_dependency project compile_definition link_library flag)

configure.ac

@@ -84,7 +84,7 @@ AC_DEFUN([LIBINJECTION_VERSION], m4_esyscmd_s(cd "others/libinjection" && git de
 AC_SUBST([LIBINJECTION_VERSION])
 
 # Check for Mbed TLS
-if ! test -f "${srcdir}/others/mbedtls/library/base64.c"; then
+if ! test -f "${srcdir}/others/mbedtls/tf-psa-crypto/utilities/base64.c"; then
 AC_MSG_ERROR([\
 
 
@@ -532,4 +532,3 @@ if test "$aflFuzzer" = "true"; then
     echo "  $ export CC=afl-clang-fast "
     echo " "
 fi
-

others/Makefile.am

@@ -15,19 +15,24 @@ noinst_HEADERS = \
 	libinjection/src/libinjection_sqli.h \
 	libinjection/src/libinjection_sqli_data.h \
 	libinjection/src/libinjection_xss.h \
-	mbedtls/include/mbedtls/base64.h \
-	mbedtls/include/mbedtls/check_config.h \
+	mbedtls/tf-psa-crypto/include/mbedtls/base64.h \
 	mbedtls/include/mbedtls/mbedtls_config.h \
-	mbedtls/include/mbedtls/md5.h \
-	mbedtls/include/mbedtls/platform.h \
-	mbedtls/include/mbedtls/sha1.h
+	mbedtls/tf-psa-crypto/include/mbedtls/md.h \
+	mbedtls/tf-psa-crypto/include/mbedtls/platform.h
 
 libmbedtls_la_SOURCES = \
-	mbedtls/library/base64.c \
-	mbedtls/library/md5.c \
-	mbedtls/library/sha1.c \
-	mbedtls/library/platform_util.c
+	mbedtls/tf-psa-crypto/utilities/base64.c \
+	mbedtls/tf-psa-crypto/utilities/constant_time.c \
+	mbedtls/tf-psa-crypto/platform/platform_util.c \
+	mbedtls/tf-psa-crypto/extras/md.c \
+	mbedtls/tf-psa-crypto/drivers/builtin/src/md5.c \
+	mbedtls/tf-psa-crypto/drivers/builtin/src/sha1.c \
+	mbedtls/tf-psa-crypto/drivers/builtin/src/sha256.c \
+	mbedtls/tf-psa-crypto/drivers/builtin/src/sha512.c \
+	mbedtls/tf-psa-crypto/drivers/builtin/src/sha3.c \
+	mbedtls/tf-psa-crypto/drivers/builtin/src/ripemd160.c \
+	mbedtls/tf-psa-crypto/drivers/builtin/src/psa_util_internal.c
 
-libmbedtls_la_CFLAGS = -DMBEDTLS_CONFIG_FILE=\"mbedtls/mbedtls_config.h\" -I$(top_srcdir)/others/mbedtls/include
+libmbedtls_la_CFLAGS = -DMBEDTLS_CONFIG_FILE=\"mbedtls/mbedtls_config.h\" -I$(top_srcdir)/others/mbedtls/include -I$(top_srcdir)/others/mbedtls/tf-psa-crypto/include -I$(top_srcdir)/others/mbedtls/tf-psa-crypto/core -I$(top_srcdir)/others/mbedtls/tf-psa-crypto/extras -I$(top_srcdir)/others/mbedtls/tf-psa-crypto/library -I$(top_srcdir)/others/mbedtls/tf-psa-crypto/utilities -I$(top_srcdir)/others/mbedtls/tf-psa-crypto/drivers/builtin/include -I$(top_srcdir)/others/mbedtls/tf-psa-crypto/drivers/builtin/src
 libmbedtls_la_CPPFLAGS =
 libmbedtls_la_LIBADD =

src/Makefile.am

@@ -296,6 +296,8 @@ libmodsecurity_la_CPPFLAGS = \
 	-g \
 	-I$(top_srcdir)/others \
 	-I$(top_srcdir)/others/mbedtls/include \
+	-I$(top_srcdir)/others/mbedtls/tf-psa-crypto/include \
+	-I$(top_srcdir)/others/mbedtls/tf-psa-crypto/drivers/builtin/include \
 	-fPIC \
 	-O3 \
 	-I$(top_srcdir)/headers \
@@ -343,4 +345,3 @@ libmodsecurity_la_LIBADD = \
 	$(MAXMIND_LDADD) \
 	$(SSDEEP_LDADD) \
 	$(YAJL_LDADD)
-

src/utils/md5.h

@@ -17,16 +17,15 @@
 #define SRC_UTILS_MD5_H_
 
 #include "src/utils/sha1.h"
-#include "mbedtls/md5.h"
 #include <string>
 
 namespace modsecurity::Utils {
 
 
-class Md5 : public DigestImpl<&mbedtls_md5, 16> {
+class Md5 : public DigestImpl<MBEDTLS_MD_MD5, 16> {
 };
 
 
 }  // namespace modsecurity::Utils
 
-#endif  // SRC_UTILS_MD5_H_
+#endif  // SRC_UTILS_MD5_H_

src/utils/sha1.h

@@ -3,7 +3,7 @@
  * Copyright (c) 2015 - 2021 Trustwave Holdings, Inc. (http://www.trustwave.com/)
  *
  * You may not use this file except in compliance with
- * the License.  You may obtain a copy of the License at
+ * the License. You may obtain a copy of the License at
  *
  *     http://www.apache.org/licenses/LICENSE-2.0
  *
@@ -16,60 +16,79 @@
 #ifndef SRC_UTILS_SHA1_H_
 #define SRC_UTILS_SHA1_H_
 
+#include <array>
+#include <exception>
 #include <string>
-#include <cassert>
+#include <string_view>
 
 #include "src/utils/string.h"
-#include "mbedtls/sha1.h"
+#include "mbedtls/md.h"
 
 namespace modsecurity::Utils {
 
+class DigestCalculationException : public std::exception {
+ public:
+    explicit DigestCalculationException(const char *message) noexcept
+        : m_message(message) { }
 
-using DigestOp = int (*)(const unsigned char *, size_t, unsigned char []);
+    const char *what() const noexcept override {
+        return m_message;
+    }
 
+ private:
+    const char *m_message;
+};
 
-template<DigestOp digestOp, int DigestSize>
+
+template<mbedtls_md_type_t DigestType, int DigestSize>
 class DigestImpl {
  public:
-
     static std::string digest(const std::string& input) {
-        return digestHelper(input, [](const auto digest) { 
-            return std::string(digest);
-        });
+        const auto digestBytes = calculateDigest(input);
+        return std::string(digestBytes.begin(), digestBytes.end());
     }
 
     static void digestReplace(std::string& value) {
-        digestHelper(value, [&value](const auto digest) mutable { 
-            value = digest;
-        });
+        const auto digestBytes = calculateDigest(value);
+        value.assign(digestBytes.begin(), digestBytes.end());
     }
 
-    static std::string hexdigest(const std::string &input) {
-        return digestHelper(input, [](const auto digest) { 
-            return utils::string::string_to_hex(digest);
-        });
+    static std::string hexdigest(const std::string& input) {
+        const auto digestBytes = calculateDigest(input);
+        const std::string digestString(digestBytes.begin(), digestBytes.end());
+        return utils::string::string_to_hex(digestString);
     }
 
-private:
-
-    template<typename ConvertOp>
-    static auto digestHelper(const std::string &input,
-        ConvertOp convertOp) -> auto {
-        char digest[DigestSize];
-
-        const auto ret = (*digestOp)(reinterpret_cast<const unsigned char *>(input.c_str()),
-                 input.size(), reinterpret_cast<unsigned char *>(digest));
-        assert(ret == 0);
-
-        return convertOp(std::string_view(digest, DigestSize));
+ private:
+    static std::array<unsigned char, DigestSize> calculateDigest(
+        std::string_view input) {
+        std::array<unsigned char, DigestSize> digestBytes = {};
+
+        const mbedtls_md_info_t *mdInfo = mbedtls_md_info_from_type(DigestType);
+        if (mdInfo == nullptr) {
+            throw DigestCalculationException(
+                "mbedtls_md_info_from_type() returned nullptr");
+        }
+
+        const auto *inputBytes =
+            static_cast<const unsigned char *>(static_cast<const void *>(input.data()));
+
+        if (const int ret = mbedtls_md(
+                mdInfo,
+                inputBytes,
+                input.size(),
+                digestBytes.data()); ret != 0) {
+            throw DigestCalculationException("mbedtls_md() failed");
+        }
+
+        return digestBytes;
     }
 };
 
 
-class Sha1 : public DigestImpl<&mbedtls_sha1, 20> {
+class Sha1 : public DigestImpl<MBEDTLS_MD_SHA1, 20> {
 };
 
-
 }  // namespace modsecurity::Utils
 
 #endif  // SRC_UTILS_SHA1_H_