Replace Mbed TLS source code in repository with a submodule

- Updated to latest Mbed TLS version (v3.6.0)

Author: eduar-hte

.gitmodules

@@ -7,3 +7,6 @@
 [submodule "bindings/python"]
 	path = bindings/python
 	url = https://github.com/owasp-modsecurity/ModSecurity-Python-bindings.git
+[submodule "others/mbedtls"]
+	path = others/mbedtls
+	url = https://github.com/Mbed-TLS/mbedtls.git

Makefile.am

@@ -63,7 +63,7 @@ cppcheck:
 		--enable=warning,style,performance,portability,unusedFunction,missingInclude \
 		--inconclusive \
 		--template="warning: {file},{line},{severity},{id},{message}" \
-		-I headers -I . -I others -I src -I others/mbedtls -I src/parser \
+		-I headers -I . -I others -I src -I others/mbedtls/include -I src/parser \
 		--error-exitcode=1 \
 		-i "src/parser/seclang-parser.cc" -i "src/parser/seclang-scanner.cc" \
 		--force --verbose .

build/win32/CMakeLists.txt

@@ -14,7 +14,7 @@ option(USE_ASAN        "Build with Address Sanitizer" OFF)
 
 # NOTE: MBEDTLS_CONFIG_FILE is not only required to compile the mbedtls subset in others, but also
 # when their headers are included while compiling libModSecurity
-add_compile_definitions(WIN32 _CRT_SECURE_NO_WARNINGS MBEDTLS_CONFIG_FILE="mbed-tls-config.h")
+add_compile_definitions(WIN32 _CRT_SECURE_NO_WARNINGS MBEDTLS_CONFIG_FILE="mbedtls/mbedtls_config.h")
 
 # set standards conformance preprocessor & compiler to align with cross-compiled codebase
 # NOTE: otherwise visual c++'s default compiler/preprocessor behaviour generates C4067 warnings
@@ -46,13 +46,25 @@ message("-- Detecting libinjection version - ${LIBINJECTION_VERSION}")
 
 target_compile_definitions(libinjection PRIVATE LIBINJECTION_VERSION="${LIBINJECTION_VERSION}")
 
-# mbedtls
+# mbedtls (mbedcrypto)
 
-project(mbedtls C)
+project(mbedcrypto C)
 
-add_library(mbedtls STATIC ${BASE_DIR}/others/mbedtls/base64.c ${BASE_DIR}/others/mbedtls/sha1.c ${BASE_DIR}/others/mbedtls/md5.c)
+set(MBEDTLS_DIR ${BASE_DIR}/others/mbedtls)
 
-target_include_directories(mbedtls PRIVATE ${BASE_DIR}/others)
+add_library(mbedcrypto STATIC ${MBEDTLS_DIR}/library/base64.c ${MBEDTLS_DIR}/library/sha1.c ${MBEDTLS_DIR}/library/md5.c ${MBEDTLS_DIR}/library/platform_util.c ${MBEDTLS_DIR}/library/constant_time.c)
+
+target_include_directories(mbedcrypto PRIVATE ${MBEDTLS_DIR}/include)
+
+# get mbedtls version with git describe
+execute_process(
+    COMMAND git describe
+    WORKING_DIRECTORY ${MBEDTLS_DIR}
+    OUTPUT_VARIABLE MBEDTLS_VERSION
+    OUTPUT_STRIP_TRAILING_WHITESPACE
+)
+
+message("-- Detecting Mbed TLS version - ${MBEDTLS_VERSION}")
 
 #
 # libModSecurity
@@ -126,8 +138,8 @@ file(GLOB_RECURSE libModSecuritySources ${BASE_DIR}/src/*.cc)
 add_library(libModSecurity SHARED ${libModSecuritySources})
 
 target_compile_definitions(libModSecurity PRIVATE WITH_PCRE2)
-target_include_directories(libModSecurity PRIVATE ${BASE_DIR} ${BASE_DIR}/headers ${BASE_DIR}/others)
-target_link_libraries(libModSecurity PRIVATE pcre2::pcre2 pthreads4w::pthreads4w libinjection mbedtls Poco::Poco Iphlpapi.lib)
+target_include_directories(libModSecurity PRIVATE ${BASE_DIR} ${BASE_DIR}/headers ${BASE_DIR}/others ${MBEDTLS_DIR}/include)
+target_link_libraries(libModSecurity PRIVATE pcre2::pcre2 pthreads4w::pthreads4w libinjection mbedcrypto Poco::Poco Iphlpapi.lib)
 
 macro(add_package_dependency project compile_definition link_library flag)
   if(${flag})

configure.ac

@@ -77,6 +77,27 @@ fi
 AC_DEFUN([LIBINJECTION_VERSION], m4_esyscmd_s(cd "others/libinjection" && git describe && cd ../..))
 AC_SUBST([LIBINJECTION_VERSION])
 
+# Check for Mbed TLS
+if ! test -f "${srcdir}/others/mbedtls/library/base64.c"; then
+AC_MSG_ERROR([\
+
+
+  Mbed TLS was not found within ModSecurity source directory.
+
+  Mbed TLS code is available as part of ModSecurity source code in a format
+  of a git-submodule. git-submodule allow us to specify the correct version of
+  Mbed TLS and still uses the Mbed TLS repository to download it.
+
+  You can download Mbed TLS using git:
+
+     $ git submodule init
+     $ git submodule update
+
+   ])
+fi
+# Mbed TLS version
+AC_DEFUN([MBEDTLS_VERSION], m4_esyscmd_s(cd "others/mbedtls" && git describe && cd ../..))
+
 # SecLang test version
 AC_DEFUN([SECLANG_TEST_VERSION], m4_esyscmd_s(cd "test/test-cases/secrules-language-tests" && git log -1 --format="%h" --abbrev-commit && cd ../../..))
 
@@ -426,6 +447,8 @@ echo " "
 echo " Mandatory dependencies"
 AS_ECHO_N("   + libInjection                                  ....")
 echo LIBINJECTION_VERSION
+AS_ECHO_N("   + Mbed TLS                                      ....")
+echo MBEDTLS_VERSION
 AS_ECHO_N("   + SecLang tests                                 ....")
 echo SECLANG_TEST_VERSION
 

others/Makefile.am

@@ -15,18 +15,19 @@ noinst_HEADERS = \
 	libinjection/src/libinjection_sqli.h \
 	libinjection/src/libinjection_sqli_data.h \
 	libinjection/src/libinjection_xss.h \
-	mbedtls/base64.h \
-	mbedtls/check_config.h \
-	mbedtls/mbed-tls-config.h \
-	mbedtls/md5.h \
-	mbedtls/platform.h \
-	mbedtls/sha1.h
+	mbedtls/include/mbedtls/base64.h \
+	mbedtls/include/mbedtls/check_config.h \
+	mbedtls/include/mbedtls/mbedtls_config.h \
+	mbedtls/include/mbedtls/md5.h \
+	mbedtls/include/mbedtls/platform.h \
+	mbedtls/include/mbedtls/sha1.h
 
 libmbedtls_la_SOURCES = \
-	mbedtls/base64.c \
-	mbedtls/md5.c \
-	mbedtls/sha1.c
+	mbedtls/library/base64.c \
+	mbedtls/library/md5.c \
+	mbedtls/library/sha1.c \
+	mbedtls/library/platform_util.c
 
-libmbedtls_la_CFLAGS = -D MBEDTLS_CONFIG_FILE=\"mbed-tls-config.h\" -Iothers
+libmbedtls_la_CFLAGS = -DMBEDTLS_CONFIG_FILE=\"mbedtls/mbedtls_config.h\" -Imbedtls/include
 libmbedtls_la_CPPFLAGS =
 libmbedtls_la_LIBADD =